CodeQL documentation
CodeQL resources

CodeQL full CWE coverage

An overview of the full coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE-11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-12 C# cs/web/missing-global-error-handler Missing global error handler
CWE-13 C# cs/password-in-configuration Password in configuration file
CWE-14 C/C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE-20 C/C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 C/C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE-20 C/C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE-20 C/C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 C/C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE-20 C/C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE-20 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-20 C/C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE-20 C/C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE-20 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 C# cs/serialization-check-bypass Serialization check bypass
CWE-20 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 C# cs/xml/missing-validation Missing XML validation
CWE-20 C# cs/assembly-path-injection Assembly path injection
CWE-20 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-20 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE-20 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE-20 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE-20 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE-20 Java/Kotlin java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 Java/Kotlin java/overly-large-range Overly permissive regular expression range
CWE-20 Java/Kotlin java/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 Java/Kotlin java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE-20 Java/Kotlin java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE-20 Java/Kotlin java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE-20 Java/Kotlin java/improper-validation-of-array-index Improper validation of user-provided array index
CWE-20 Java/Kotlin java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE-20 Java/Kotlin java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE-20 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-20 JavaScript/TypeScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 JavaScript/TypeScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-20 JavaScript/TypeScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE-20 JavaScript/TypeScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-20 JavaScript/TypeScript js/incorrect-suffix-check Incorrect suffix check
CWE-20 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-20 JavaScript/TypeScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE-20 JavaScript/TypeScript js/overly-large-range Overly permissive regular expression range
CWE-20 JavaScript/TypeScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 JavaScript/TypeScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE-20 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-20 JavaScript/TypeScript js/double-escaping Double escaping or unescaping
CWE-20 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-20 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-20 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-20 JavaScript/TypeScript js/untrusted-data-to-external-api-more-sources Untrusted data passed to external API with additional heuristic sources
CWE-20 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-20 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-20 Python py/overly-large-range Overly permissive regular expression range
CWE-20 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-20 Ruby rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-20 Ruby rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-20 Ruby rb/regex/badly-anchored-regexp Badly anchored regular expression
CWE-20 Ruby rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE-20 Ruby rb/overly-large-range Overly permissive regular expression range
CWE-20 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-20 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-20 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-20 Swift swift/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-20 Swift swift/missing-regexp-anchor Missing regular expression anchor
CWE-20 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-22 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-22 C# cs/path-injection Uncontrolled data used in path expression
CWE-22 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-22 Go go/path-injection Uncontrolled data used in path expression
CWE-22 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE-22 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-22 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-22 Java/Kotlin java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 Java/Kotlin java/partial-path-traversal Partial path traversal vulnerability
CWE-22 Java/Kotlin java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE-22 Java/Kotlin java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE-22 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-22 JavaScript/TypeScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 Python py/path-injection Uncontrolled data used in path expression
CWE-22 Python py/tarslip Arbitrary file write during tarfile extraction
CWE-22 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE-22 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE-22 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-22 Swift swift/unsafe-unpacking Arbitrary file write during a zip extraction from a user controlled source
CWE-22 Swift swift/path-injection Uncontrolled data used in path expression
CWE-23 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-23 C# cs/path-injection Uncontrolled data used in path expression
CWE-23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-23 Go go/path-injection Uncontrolled data used in path expression
CWE-23 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-23 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-23 Java/Kotlin java/partial-path-traversal Partial path traversal vulnerability
CWE-23 Java/Kotlin java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE-23 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-23 Python py/path-injection Uncontrolled data used in path expression
CWE-23 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-23 Swift swift/path-injection Uncontrolled data used in path expression
CWE-36 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-36 C# cs/path-injection Uncontrolled data used in path expression
CWE-36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-36 Go go/path-injection Uncontrolled data used in path expression
CWE-36 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-36 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-36 Java/Kotlin java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE-36 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-36 Python py/path-injection Uncontrolled data used in path expression
CWE-36 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-36 Swift swift/path-injection Uncontrolled data used in path expression
CWE-73 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-73 C# cs/path-injection Uncontrolled data used in path expression
CWE-73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-73 Go go/path-injection Uncontrolled data used in path expression
CWE-73 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-73 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-73 Java/Kotlin java/file-path-injection File Path Injection
CWE-73 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-73 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-73 Python py/path-injection Uncontrolled data used in path expression
CWE-73 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-73 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-73 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-73 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-73 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-73 Swift swift/path-injection Uncontrolled data used in path expression
CWE-74 C/C++ cpp/non-constant-format Non-constant format string
CWE-74 C/C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE-74 C/C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE-74 C/C++ cpp/sql-injection Uncontrolled data in SQL query
CWE-74 C/C++ cpp/tainted-format-string Uncontrolled format string
CWE-74 C/C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE-74 C# cs/path-injection Uncontrolled data used in path expression
CWE-74 C# cs/command-line-injection Uncontrolled command line
CWE-74 C# cs/web/xss Cross-site scripting
CWE-74 C# cs/sql-injection SQL query built from user-controlled sources
CWE-74 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-74 C# cs/xml-injection XML injection
CWE-74 C# cs/code-injection Improper control of generation of code
CWE-74 C# cs/resource-injection Resource injection
CWE-74 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-74 C# cs/xml/xpath-injection XPath injection
CWE-74 C# cs/web/disabled-header-checking Header checking disabled
CWE-74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-74 Go go/path-injection Uncontrolled data used in path expression
CWE-74 Go go/command-injection Command built from user-controlled sources
CWE-74 Go go/stored-command Command built from stored data
CWE-74 Go go/reflected-xss Reflected cross-site scripting
CWE-74 Go go/stored-xss Stored cross-site scripting
CWE-74 Go go/sql-injection Database query built from user-controlled sources
CWE-74 Go go/unsafe-quoting Potentially unsafe quoting
CWE-74 Go go/xml/xpath-injection XPath injection
CWE-74 Go go/ldap-injection LDAP query built from user-controlled sources
CWE-74 Go go/dsn-injection SQL Data-source URI built from user-controlled sources
CWE-74 Go go/dsn-injection-local SQL Data-source URI built from local user-controlled sources
CWE-74 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE-74 Java/Kotlin java/jndi-injection JNDI lookup with user-controlled name
CWE-74 Java/Kotlin java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE-74 Java/Kotlin java/relative-path-command Executing a command with a relative path
CWE-74 Java/Kotlin java/command-line-injection Uncontrolled command line
CWE-74 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-74 Java/Kotlin java/command-line-injection-local Local-user-controlled command line
CWE-74 Java/Kotlin java/concatenated-command-line Building a command line with string concatenation
CWE-74 Java/Kotlin java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE-74 Java/Kotlin java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE-74 Java/Kotlin java/xss Cross-site scripting
CWE-74 Java/Kotlin java/xss-local Cross-site scripting from local source
CWE-74 Java/Kotlin java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE-74 Java/Kotlin java/sql-injection Query built from user-controlled sources
CWE-74 Java/Kotlin java/sql-injection-local Query built from local-user-controlled sources
CWE-74 Java/Kotlin java/ldap-injection LDAP query built from user-controlled sources
CWE-74 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-74 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-74 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-74 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-74 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-74 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-74 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-74 Java/Kotlin java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE-74 Java/Kotlin java/http-response-splitting HTTP response splitting
CWE-74 Java/Kotlin java/http-response-splitting-local HTTP response splitting from local source
CWE-74 Java/Kotlin java/tainted-format-string Use of externally-controlled format string
CWE-74 Java/Kotlin java/tainted-format-string-local Use of externally-controlled format string from local source
CWE-74 Java/Kotlin java/xml/xpath-injection XPath injection
CWE-74 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-74 Java/Kotlin java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE-74 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-74 Java/Kotlin java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE-74 Java/Kotlin java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE-74 Java/Kotlin java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE-74 Java/Kotlin java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE-74 Java/Kotlin java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE-74 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-74 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-74 Java/Kotlin java/jshell-injection JShell injection
CWE-74 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-74 Java/Kotlin java/jython-injection Injection in Jython
CWE-74 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-74 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-74 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-74 Java/Kotlin java/xquery-injection XQuery query built from user-controlled sources
CWE-74 JavaScript/TypeScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE-74 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-74 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-74 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-74 JavaScript/TypeScript js/command-line-injection Uncontrolled command line
CWE-74 JavaScript/TypeScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE-74 JavaScript/TypeScript js/second-order-command-line-injection Second order command injection
CWE-74 JavaScript/TypeScript js/shell-command-injection-from-environment Shell command built from environment values
CWE-74 JavaScript/TypeScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-74 JavaScript/TypeScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE-74 JavaScript/TypeScript js/xss-through-exception Exception text reinterpreted as HTML
CWE-74 JavaScript/TypeScript js/reflected-xss Reflected cross-site scripting
CWE-74 JavaScript/TypeScript js/stored-xss Stored cross-site scripting
CWE-74 JavaScript/TypeScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE-74 JavaScript/TypeScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE-74 JavaScript/TypeScript js/xss Client-side cross-site scripting
CWE-74 JavaScript/TypeScript js/xss-through-dom DOM text reinterpreted as HTML
CWE-74 JavaScript/TypeScript js/sql-injection Database query built from user-controlled sources
CWE-74 JavaScript/TypeScript js/code-injection Code injection
CWE-74 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-74 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-74 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-74 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-74 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-74 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-74 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-74 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-74 JavaScript/TypeScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE-74 JavaScript/TypeScript js/tainted-format-string Use of externally-controlled format string
CWE-74 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-74 JavaScript/TypeScript js/xpath-injection XPath injection
CWE-74 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-74 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-74 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-74 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-74 JavaScript/TypeScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE-74 JavaScript/TypeScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE-74 JavaScript/TypeScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE-74 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-74 JavaScript/TypeScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE-74 JavaScript/TypeScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE-74 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-74 Python py/path-injection Uncontrolled data used in path expression
CWE-74 Python py/command-line-injection Uncontrolled command line
CWE-74 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-74 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE-74 Python py/reflective-xss Reflected server-side cross-site scripting
CWE-74 Python py/sql-injection SQL query built from user-controlled sources
CWE-74 Python py/ldap-injection LDAP query built from user-controlled sources
CWE-74 Python py/code-injection Code injection
CWE-74 Python py/xpath-injection XPath query built from user-controlled sources
CWE-74 Python py/nosql-injection NoSQL Injection
CWE-74 Python py/template-injection Server Side Template Injection
CWE-74 Python py/paramiko-command-injection RCE with user provided command with paramiko ssh client
CWE-74 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE-74 Python py/xslt-injection XSLT query built from user-controlled sources
CWE-74 Python py/header-injection HTTP Header Injection
CWE-74 Ruby rb/ldap-injection LDAP Injection
CWE-74 Ruby rb/server-side-template-injection Server-side template injection
CWE-74 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE-74 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-74 Ruby rb/command-line-injection Uncontrolled command line
CWE-74 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-74 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-74 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-74 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE-74 Ruby rb/stored-xss Stored cross-site scripting
CWE-74 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE-74 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE-74 Ruby rb/code-injection Code injection
CWE-74 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-74 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-74 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-74 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE-74 Swift swift/path-injection Uncontrolled data used in path expression
CWE-74 Swift swift/command-line-injection System command built from user-controlled sources
CWE-74 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-74 Swift swift/sql-injection Database query built from user-controlled sources
CWE-74 Swift swift/unsafe-js-eval JavaScript Injection
CWE-74 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE-74 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE-77 C/C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE-77 C/C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE-77 C# cs/command-line-injection Uncontrolled command line
CWE-77 Go go/command-injection Command built from user-controlled sources
CWE-77 Go go/stored-command Command built from stored data
CWE-77 Go go/unsafe-quoting Potentially unsafe quoting
CWE-77 Java/Kotlin java/relative-path-command Executing a command with a relative path
CWE-77 Java/Kotlin java/command-line-injection Uncontrolled command line
CWE-77 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-77 Java/Kotlin java/command-line-injection-local Local-user-controlled command line
CWE-77 Java/Kotlin java/concatenated-command-line Building a command line with string concatenation
CWE-77 Java/Kotlin java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE-77 Java/Kotlin java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE-77 Java/Kotlin java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE-77 Java/Kotlin java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE-77 JavaScript/TypeScript js/command-line-injection Uncontrolled command line
CWE-77 JavaScript/TypeScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE-77 JavaScript/TypeScript js/second-order-command-line-injection Second order command injection
CWE-77 JavaScript/TypeScript js/shell-command-injection-from-environment Shell command built from environment values
CWE-77 JavaScript/TypeScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-77 JavaScript/TypeScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE-77 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-77 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-77 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-77 JavaScript/TypeScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE-77 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-77 Python py/command-line-injection Uncontrolled command line
CWE-77 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-77 Ruby rb/command-line-injection Uncontrolled command line
CWE-77 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-77 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-77 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-77 Swift swift/command-line-injection System command built from user-controlled sources
CWE-78 C/C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE-78 C/C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE-78 C# cs/command-line-injection Uncontrolled command line
CWE-78 Go go/command-injection Command built from user-controlled sources
CWE-78 Go go/stored-command Command built from stored data
CWE-78 Go go/unsafe-quoting Potentially unsafe quoting
CWE-78 Java/Kotlin java/relative-path-command Executing a command with a relative path
CWE-78 Java/Kotlin java/command-line-injection Uncontrolled command line
CWE-78 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-78 Java/Kotlin java/command-line-injection-local Local-user-controlled command line
CWE-78 Java/Kotlin java/concatenated-command-line Building a command line with string concatenation
CWE-78 Java/Kotlin java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE-78 Java/Kotlin java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE-78 Java/Kotlin java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE-78 JavaScript/TypeScript js/command-line-injection Uncontrolled command line
CWE-78 JavaScript/TypeScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE-78 JavaScript/TypeScript js/second-order-command-line-injection Second order command injection
CWE-78 JavaScript/TypeScript js/shell-command-injection-from-environment Shell command built from environment values
CWE-78 JavaScript/TypeScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-78 JavaScript/TypeScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE-78 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-78 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-78 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-78 JavaScript/TypeScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE-78 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-78 Python py/command-line-injection Uncontrolled command line
CWE-78 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-78 Ruby rb/command-line-injection Uncontrolled command line
CWE-78 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-78 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-78 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-78 Swift swift/command-line-injection System command built from user-controlled sources
CWE-79 C/C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE-79 C# cs/web/xss Cross-site scripting
CWE-79 Go go/reflected-xss Reflected cross-site scripting
CWE-79 Go go/stored-xss Stored cross-site scripting
CWE-79 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE-79 Java/Kotlin java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE-79 Java/Kotlin java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE-79 Java/Kotlin java/xss Cross-site scripting
CWE-79 Java/Kotlin java/xss-local Cross-site scripting from local source
CWE-79 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-79 JavaScript/TypeScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE-79 JavaScript/TypeScript js/xss-through-exception Exception text reinterpreted as HTML
CWE-79 JavaScript/TypeScript js/reflected-xss Reflected cross-site scripting
CWE-79 JavaScript/TypeScript js/stored-xss Stored cross-site scripting
CWE-79 JavaScript/TypeScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE-79 JavaScript/TypeScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE-79 JavaScript/TypeScript js/xss Client-side cross-site scripting
CWE-79 JavaScript/TypeScript js/xss-through-dom DOM text reinterpreted as HTML
CWE-79 JavaScript/TypeScript js/code-injection Code injection
CWE-79 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-79 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-79 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-79 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-79 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-79 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-79 JavaScript/TypeScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE-79 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-79 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-79 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-79 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-79 JavaScript/TypeScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE-79 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-79 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-79 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE-79 Python py/reflective-xss Reflected server-side cross-site scripting
CWE-79 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE-79 Python py/header-injection HTTP Header Injection
CWE-79 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE-79 Ruby rb/stored-xss Stored cross-site scripting
CWE-79 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE-79 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-79 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-79 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-79 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-80 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-80 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-80 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-80 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-80 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-88 C/C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE-88 C# cs/command-line-injection Uncontrolled command line
CWE-88 Java/Kotlin java/relative-path-command Executing a command with a relative path
CWE-88 Java/Kotlin java/command-line-injection Uncontrolled command line
CWE-88 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-88 Java/Kotlin java/command-line-injection-local Local-user-controlled command line
CWE-88 Java/Kotlin java/concatenated-command-line Building a command line with string concatenation
CWE-88 Java/Kotlin java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE-88 JavaScript/TypeScript js/command-line-injection Uncontrolled command line
CWE-88 JavaScript/TypeScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE-88 JavaScript/TypeScript js/second-order-command-line-injection Second order command injection
CWE-88 JavaScript/TypeScript js/shell-command-injection-from-environment Shell command built from environment values
CWE-88 JavaScript/TypeScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-88 JavaScript/TypeScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE-88 Python py/command-line-injection Uncontrolled command line
CWE-88 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-88 Ruby rb/command-line-injection Uncontrolled command line
CWE-88 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-88 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-88 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-88 Swift swift/command-line-injection System command built from user-controlled sources
CWE-89 C/C++ cpp/sql-injection Uncontrolled data in SQL query
CWE-89 C# cs/sql-injection SQL query built from user-controlled sources
CWE-89 Go go/sql-injection Database query built from user-controlled sources
CWE-89 Go go/unsafe-quoting Potentially unsafe quoting
CWE-89 Java/Kotlin java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE-89 Java/Kotlin java/sql-injection Query built from user-controlled sources
CWE-89 Java/Kotlin java/sql-injection-local Query built from local-user-controlled sources
CWE-89 Java/Kotlin java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE-89 Java/Kotlin java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE-89 JavaScript/TypeScript js/sql-injection Database query built from user-controlled sources
CWE-89 JavaScript/TypeScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE-89 Python py/sql-injection SQL query built from user-controlled sources
CWE-89 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE-89 Swift swift/sql-injection Database query built from user-controlled sources
CWE-90 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-90 Go go/ldap-injection LDAP query built from user-controlled sources
CWE-90 Java/Kotlin java/ldap-injection LDAP query built from user-controlled sources
CWE-90 JavaScript/TypeScript js/sql-injection Database query built from user-controlled sources
CWE-90 JavaScript/TypeScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE-90 Python py/ldap-injection LDAP query built from user-controlled sources
CWE-90 Ruby rb/ldap-injection LDAP Injection
CWE-91 C# cs/xml-injection XML injection
CWE-91 C# cs/xml/xpath-injection XPath injection
CWE-91 Go go/xml/xpath-injection XPath injection
CWE-91 Java/Kotlin java/xml/xpath-injection XPath injection
CWE-91 Java/Kotlin java/xquery-injection XQuery query built from user-controlled sources
CWE-91 JavaScript/TypeScript js/xpath-injection XPath injection
CWE-91 JavaScript/TypeScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE-91 Python py/xpath-injection XPath query built from user-controlled sources
CWE-91 Python py/xslt-injection XSLT query built from user-controlled sources
CWE-91 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE-93 C# cs/web/disabled-header-checking Header checking disabled
CWE-93 Java/Kotlin java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE-93 Java/Kotlin java/http-response-splitting HTTP response splitting
CWE-93 Java/Kotlin java/http-response-splitting-local HTTP response splitting from local source
CWE-93 Python py/header-injection HTTP Header Injection
CWE-94 C# cs/code-injection Improper control of generation of code
CWE-94 Go go/unsafe-quoting Potentially unsafe quoting
CWE-94 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-94 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-94 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-94 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-94 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-94 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-94 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-94 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-94 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-94 Java/Kotlin java/jshell-injection JShell injection
CWE-94 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-94 Java/Kotlin java/jython-injection Injection in Jython
CWE-94 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-94 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-94 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-94 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-94 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-94 JavaScript/TypeScript js/code-injection Code injection
CWE-94 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-94 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-94 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-94 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-94 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-94 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-94 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-94 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-94 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-94 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-94 Python py/code-injection Code injection
CWE-94 Ruby rb/server-side-template-injection Server-side template injection
CWE-94 Ruby rb/code-injection Code injection
CWE-94 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-94 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-94 Swift swift/unsafe-js-eval JavaScript Injection
CWE-95 C# cs/code-injection Improper control of generation of code
CWE-95 Java/Kotlin java/jython-injection Injection in Jython
CWE-95 JavaScript/TypeScript js/code-injection Code injection
CWE-95 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-95 Python py/code-injection Code injection
CWE-95 Ruby rb/code-injection Code injection
CWE-95 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-95 Swift swift/unsafe-js-eval JavaScript Injection
CWE-96 C# cs/code-injection Improper control of generation of code
CWE-99 C# cs/path-injection Uncontrolled data used in path expression
CWE-99 C# cs/resource-injection Resource injection
CWE-99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-99 Go go/path-injection Uncontrolled data used in path expression
CWE-99 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-99 Python py/path-injection Uncontrolled data used in path expression
CWE-99 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-99 Swift swift/path-injection Uncontrolled data used in path expression
CWE-112 C# cs/xml/missing-validation Missing XML validation
CWE-113 C# cs/web/disabled-header-checking Header checking disabled
CWE-113 Java/Kotlin java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE-113 Java/Kotlin java/http-response-splitting HTTP response splitting
CWE-113 Java/Kotlin java/http-response-splitting-local HTTP response splitting from local source
CWE-113 Python py/header-injection HTTP Header Injection
CWE-114 C/C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE-114 C# cs/assembly-path-injection Assembly path injection
CWE-116 C# cs/web/xss Cross-site scripting
CWE-116 C# cs/log-forging Log entries created from user input
CWE-116 C# cs/inappropriate-encoding Inappropriate encoding
CWE-116 Go go/reflected-xss Reflected cross-site scripting
CWE-116 Go go/stored-xss Stored cross-site scripting
CWE-116 Go go/log-injection Log entries created from user input
CWE-116 Java/Kotlin java/log-injection Log Injection
CWE-116 JavaScript/TypeScript js/angular/disabling-sce Disabling SCE
CWE-116 JavaScript/TypeScript js/identity-replacement Replacement of a substring with itself
CWE-116 JavaScript/TypeScript js/xss-through-exception Exception text reinterpreted as HTML
CWE-116 JavaScript/TypeScript js/reflected-xss Reflected cross-site scripting
CWE-116 JavaScript/TypeScript js/stored-xss Stored cross-site scripting
CWE-116 JavaScript/TypeScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE-116 JavaScript/TypeScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE-116 JavaScript/TypeScript js/xss Client-side cross-site scripting
CWE-116 JavaScript/TypeScript js/xss-through-dom DOM text reinterpreted as HTML
CWE-116 JavaScript/TypeScript js/code-injection Code injection
CWE-116 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-116 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-116 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-116 JavaScript/TypeScript js/double-escaping Double escaping or unescaping
CWE-116 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-116 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-116 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-116 JavaScript/TypeScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE-116 JavaScript/TypeScript js/log-injection Log injection
CWE-116 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-116 JavaScript/TypeScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE-116 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-116 JavaScript/TypeScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE-116 Python py/reflective-xss Reflected server-side cross-site scripting
CWE-116 Python py/code-injection Code injection
CWE-116 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-116 Python py/log-injection Log Injection
CWE-116 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE-116 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE-116 Ruby rb/stored-xss Stored cross-site scripting
CWE-116 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE-116 Ruby rb/code-injection Code injection
CWE-116 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-116 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-116 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-116 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-116 Ruby rb/log-injection Log injection
CWE-116 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-117 C# cs/log-forging Log entries created from user input
CWE-117 Go go/log-injection Log entries created from user input
CWE-117 Java/Kotlin java/log-injection Log Injection
CWE-117 JavaScript/TypeScript js/log-injection Log injection
CWE-117 JavaScript/TypeScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE-117 Python py/log-injection Log Injection
CWE-117 Ruby rb/log-injection Log injection
CWE-118 C/C++ cpp/offset-use-before-range-check Array offset used before range check
CWE-118 C/C++ cpp/double-free Potential double free
CWE-118 C/C++ cpp/late-negative-test Pointer offset used before it is checked
CWE-118 C/C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE-118 C/C++ cpp/overflow-calculated Buffer not sufficient for string
CWE-118 C/C++ cpp/overflow-destination Copy function using source size
CWE-118 C/C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE-118 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-118 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-118 C/C++ cpp/use-after-free Potential use after free
CWE-118 C/C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE-118 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-118 C/C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE-118 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-118 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-118 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-118 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-118 C/C++ cpp/overrun-write Overrunning write
CWE-118 C/C++ cpp/badly-bounded-write Badly bounded write
CWE-118 C/C++ cpp/overrunning-write Potentially overrunning write
CWE-118 C/C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE-118 C/C++ cpp/unbounded-write Unbounded write
CWE-118 C/C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE-118 C/C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE-118 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-118 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-118 C/C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE-118 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-118 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-118 C/C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE-118 C/C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE-118 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-118 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-118 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-118 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-118 C/C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE-118 C/C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE-118 C/C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE-118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-118 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE-119 C/C++ cpp/offset-use-before-range-check Array offset used before range check
CWE-119 C/C++ cpp/double-free Potential double free
CWE-119 C/C++ cpp/late-negative-test Pointer offset used before it is checked
CWE-119 C/C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE-119 C/C++ cpp/overflow-calculated Buffer not sufficient for string
CWE-119 C/C++ cpp/overflow-destination Copy function using source size
CWE-119 C/C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE-119 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-119 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-119 C/C++ cpp/use-after-free Potential use after free
CWE-119 C/C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE-119 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-119 C/C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE-119 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-119 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-119 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-119 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-119 C/C++ cpp/overrun-write Overrunning write
CWE-119 C/C++ cpp/badly-bounded-write Badly bounded write
CWE-119 C/C++ cpp/overrunning-write Potentially overrunning write
CWE-119 C/C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE-119 C/C++ cpp/unbounded-write Unbounded write
CWE-119 C/C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE-119 C/C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE-119 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-119 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-119 C/C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE-119 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-119 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-119 C/C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE-119 C/C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE-119 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-119 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-119 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-119 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-119 C/C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE-119 C/C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE-119 C/C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE-119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-119 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE-120 C/C++ cpp/offset-use-before-range-check Array offset used before range check
CWE-120 C/C++ cpp/overflow-calculated Buffer not sufficient for string
CWE-120 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-120 C/C++ cpp/badly-bounded-write Badly bounded write
CWE-120 C/C++ cpp/overrunning-write Potentially overrunning write
CWE-120 C/C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE-120 C/C++ cpp/unbounded-write Unbounded write
CWE-120 C/C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE-120 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-120 C/C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE-120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-121 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-121 C/C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE-122 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-122 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-122 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-122 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-125 C/C++ cpp/offset-use-before-range-check Array offset used before range check
CWE-125 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-125 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-125 C/C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE-125 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE-126 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-126 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE-128 C/C++ cpp/signed-overflow-check Signed overflow check
CWE-128 C/C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE-129 C/C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE-129 Java/Kotlin java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE-129 Java/Kotlin java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE-129 Java/Kotlin java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE-129 Java/Kotlin java/improper-validation-of-array-index Improper validation of user-provided array index
CWE-129 Java/Kotlin java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE-129 Java/Kotlin java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE-131 C/C++ cpp/overflow-calculated Buffer not sufficient for string
CWE-131 C/C++ cpp/overflow-destination Copy function using source size
CWE-131 C/C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE-131 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-131 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-131 C/C++ cpp/overrun-write Overrunning write
CWE-131 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-134 C/C++ cpp/non-constant-format Non-constant format string
CWE-134 C/C++ cpp/tainted-format-string Uncontrolled format string
CWE-134 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-134 Java/Kotlin java/tainted-format-string Use of externally-controlled format string
CWE-134 Java/Kotlin java/tainted-format-string-local Use of externally-controlled format string from local source
CWE-134 JavaScript/TypeScript js/tainted-format-string Use of externally-controlled format string
CWE-134 JavaScript/TypeScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE-134 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE-134 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE-135 Swift swift/string-length-conflation String length conflation
CWE-170 C/C++ cpp/improper-null-termination Potential improper null termination
CWE-170 C/C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE-172 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-172 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-176 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-176 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-178 JavaScript/TypeScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE-179 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-179 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-180 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-180 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-183 Go go/cors-misconfiguration CORS misconfiguration
CWE-183 JavaScript/TypeScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE-183 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-183 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-184 JavaScript/TypeScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE-184 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-185 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-185 JavaScript/TypeScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE-185 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-185 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-185 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-185 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-186 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-186 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-186 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-186 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-190 C/C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE-190 C/C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE-190 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-190 C/C++ cpp/signed-overflow-check Signed overflow check
CWE-190 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-190 C/C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE-190 C/C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-190 C/C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE-190 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-190 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-190 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-190 C/C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE-190 C/C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE-190 C/C++ cpp/signed-bit-field Possible signed bit-field member
CWE-190 C# cs/loss-of-precision Possible loss of precision
CWE-190 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE-190 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE-190 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-190 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-190 Java/Kotlin java/tainted-arithmetic User-controlled data in arithmetic expression
CWE-190 Java/Kotlin java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE-190 Java/Kotlin java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-190 Java/Kotlin java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE-190 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-191 C/C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE-191 C/C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-191 C/C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE-191 C/C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE-191 Java/Kotlin java/tainted-arithmetic User-controlled data in arithmetic expression
CWE-191 Java/Kotlin java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE-191 Java/Kotlin java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-191 Java/Kotlin java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE-193 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-193 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE-193 Go go/index-out-of-bounds Off-by-one comparison against length
CWE-193 Java/Kotlin java/index-out-of-bounds Array index out of bounds
CWE-193 JavaScript/TypeScript js/index-out-of-bounds Off-by-one comparison against length
CWE-197 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-197 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-197 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-197 C# cs/loss-of-precision Possible loss of precision
CWE-197 Go go/shift-out-of-range Shift out of range
CWE-197 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-197 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-197 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-197 Java/Kotlin java/tainted-numeric-cast User-controlled data in numeric cast
CWE-197 Java/Kotlin java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE-197 JavaScript/TypeScript js/shift-out-of-range Shift out of range
CWE-200 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-200 C/C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE-200 C/C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE-200 C/C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE-200 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-200 C/C++ cpp/private-cleartext-write Exposure of private information
CWE-200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-200 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-200 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-200 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-200 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-200 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-200 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-200 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE-200 Java/Kotlin java/android/sensitive-notification Exposure of sensitive information to notifications
CWE-200 Java/Kotlin java/android/sensitive-text Exposure of sensitive information to UI text views
CWE-200 Java/Kotlin java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE-200 Java/Kotlin java/android/websettings-file-access Android WebSettings file access
CWE-200 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-200 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-200 Java/Kotlin java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE-200 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-200 Java/Kotlin java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE-200 Java/Kotlin java/sensitive-android-file-leak Leaking sensitive Android file
CWE-200 Java/Kotlin java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE-200 Java/Kotlin java/timing-attack-against-headers-value Timing attack against header value
CWE-200 Java/Kotlin java/timing-attack-against-signature Timing attack against signature validation
CWE-200 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-200 Java/Kotlin java/sensitive-query-with-get Sensitive GET Query
CWE-200 JavaScript/TypeScript js/unsafe-external-link Potentially unsafe external link
CWE-200 JavaScript/TypeScript js/file-access-to-http File data in outbound network request
CWE-200 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-200 JavaScript/TypeScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE-200 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-200 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-200 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-200 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-200 JavaScript/TypeScript js/sensitive-get-query Sensitive data read from GET request
CWE-200 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE-200 Python py/stack-trace-exposure Information exposure through an exception
CWE-200 Python py/flask-debug Flask app is run in debug mode
CWE-200 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-200 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-200 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE-200 Python py/timing-attack-against-hash Timing attack against Hash
CWE-200 Python py/timing-attack-against-header-value Timing attack against header value
CWE-200 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE-200 Python py/timing-attack-sensitive-info Timing attack against secret
CWE-200 Ruby rb/unsafe-hmac-comparison Unsafe HMAC Comparison
CWE-200 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-200 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-200 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-200 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE-200 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-201 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-201 JavaScript/TypeScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE-203 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE-203 Java/Kotlin java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE-203 Java/Kotlin java/timing-attack-against-headers-value Timing attack against header value
CWE-203 Java/Kotlin java/timing-attack-against-signature Timing attack against signature validation
CWE-203 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE-203 Python py/timing-attack-against-hash Timing attack against Hash
CWE-203 Python py/timing-attack-against-header-value Timing attack against header value
CWE-203 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE-203 Python py/timing-attack-sensitive-info Timing attack against secret
CWE-203 Ruby rb/unsafe-hmac-comparison Unsafe HMAC Comparison
CWE-208 Java/Kotlin java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE-208 Java/Kotlin java/timing-attack-against-headers-value Timing attack against header value
CWE-208 Java/Kotlin java/timing-attack-against-signature Timing attack against signature validation
CWE-208 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE-208 Python py/timing-attack-against-hash Timing attack against Hash
CWE-208 Python py/timing-attack-against-header-value Timing attack against header value
CWE-208 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE-208 Python py/timing-attack-sensitive-info Timing attack against secret
CWE-208 Ruby rb/unsafe-hmac-comparison Unsafe HMAC Comparison
CWE-209 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-209 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-209 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-209 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-209 Python py/stack-trace-exposure Information exposure through an exception
CWE-209 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-215 Python py/flask-debug Flask app is run in debug mode
CWE-216 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-219 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-221 C# cs/catch-of-all-exceptions Generic catch clause
CWE-221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-221 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-221 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-221 Python py/catch-base-exception Except block handles 'BaseException'
CWE-227 C/C++ cpp/double-free Potential double free
CWE-227 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-227 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-227 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-227 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-227 C/C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE-227 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-227 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-227 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-227 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-227 C/C++ cpp/twice-locked Mutex locked twice
CWE-227 C/C++ cpp/unreleased-lock Lock may not be released
CWE-227 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-227 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-227 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-227 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-227 C/C++ cpp/double-release Errors When Double Release
CWE-227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-227 C# cs/invalid-dynamic-call Bad dynamic call
CWE-227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-227 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-227 Java/Kotlin java/ejb/file-io EJB uses file input/output
CWE-227 Java/Kotlin java/ejb/graphics EJB uses graphics
CWE-227 Java/Kotlin java/ejb/native-code EJB uses native code
CWE-227 Java/Kotlin java/ejb/reflection EJB uses reflection
CWE-227 Java/Kotlin java/ejb/security-configuration-access EJB accesses security configuration
CWE-227 Java/Kotlin java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE-227 Java/Kotlin java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE-227 Java/Kotlin java/ejb/server-socket EJB uses server socket
CWE-227 Java/Kotlin java/ejb/non-final-static-field EJB uses non-final static field
CWE-227 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-227 Java/Kotlin java/ejb/this EJB uses 'this' as argument or result
CWE-227 Java/Kotlin java/ejb/threads EJB uses threads
CWE-227 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-227 Java/Kotlin java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE-227 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-227 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-227 Java/Kotlin java/missing-format-argument Missing format argument
CWE-227 Java/Kotlin java/unused-format-argument Unused format argument
CWE-227 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-227 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-227 JavaScript/TypeScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE-227 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-227 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE-227 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE-227 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE-227 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE-227 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE-227 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE-227 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE-227 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-228 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-228 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-233 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-233 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-234 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-234 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-242 C/C++ cpp/dangerous-function-overflow Use of dangerous function
CWE-243 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-247 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-248 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-248 C# cs/web/missing-global-error-handler Missing global error handler
CWE-248 Java/Kotlin java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE-248 Java/Kotlin java/uncaught-servlet-exception Uncaught Servlet Exception
CWE-248 JavaScript/TypeScript js/server-crash Server crash
CWE-250 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-250 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-252 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-252 C/C++ cpp/return-value-ignored Return value of a function is ignored
CWE-252 C/C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE-252 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-252 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-252 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-252 C# cs/unchecked-return-value Unchecked return value
CWE-252 Java/Kotlin java/inconsistent-call-on-result Inconsistent operation on return value
CWE-252 Java/Kotlin java/return-value-ignored Method result ignored
CWE-252 Python py/ignored-return-value Ignored return value
CWE-253 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-253 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-253 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-253 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-256 C# cs/password-in-configuration Password in configuration file
CWE-256 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-256 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-256 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-258 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-258 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-259 C# cs/hardcoded-credentials Hard-coded credentials
CWE-259 Go go/hardcoded-credentials Hard-coded credentials
CWE-259 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-259 Python py/hardcoded-credentials Hard-coded credentials
CWE-259 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-259 Swift swift/constant-password Constant password
CWE-260 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-260 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-260 C# cs/password-in-configuration Password in configuration file
CWE-260 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-260 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-260 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-260 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-266 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-266 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-269 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-269 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-269 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-269 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-269 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-269 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-271 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-271 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-273 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-273 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-284 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-284 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-284 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-284 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-284 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-284 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-284 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-284 C/C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE-284 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-284 C# cs/password-in-configuration Password in configuration file
CWE-284 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-284 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-284 C# cs/session-reuse Failure to abandon session
CWE-284 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-284 C# cs/hardcoded-credentials Hard-coded credentials
CWE-284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-284 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-284 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE-284 Go go/email-injection Email content injection
CWE-284 Go go/hardcoded-credentials Hard-coded credentials
CWE-284 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-284 Go go/improper-ldap-auth Improper LDAP Authentication
CWE-284 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-284 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-284 Go go/cors-misconfiguration CORS misconfiguration
CWE-284 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-284 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-284 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-284 Java/Kotlin java/android/insecure-local-key-gen Insecurely generated keys for local authentication
CWE-284 Java/Kotlin java/android/insecure-local-authentication Insecure local authentication
CWE-284 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-284 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-284 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-284 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-284 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-284 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-284 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-284 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-284 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-284 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-284 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-284 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-284 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-284 Java/Kotlin java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE-284 Java/Kotlin java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE-284 Java/Kotlin java/android/implicitly-exported-component Implicitly exported Android component
CWE-284 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-284 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-284 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-284 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-284 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-284 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-284 Java/Kotlin java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE-284 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-284 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-284 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-284 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-284 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-284 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-284 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-284 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-284 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-284 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-284 JavaScript/TypeScript js/session-fixation Failure to abandon session
CWE-284 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-284 JavaScript/TypeScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE-284 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-284 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-284 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-284 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-284 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-284 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-284 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-284 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-284 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-284 Python py/overly-permissive-file Overly permissive file permissions
CWE-284 Python py/hardcoded-credentials Hard-coded credentials
CWE-284 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE-284 Python py/improper-ldap-auth Improper LDAP Authentication
CWE-284 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-284 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-284 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE-284 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-284 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-284 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-284 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-284 Swift swift/constant-password Constant password
CWE-284 Swift swift/hardcoded-key Hard-coded encryption key
CWE-285 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-285 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-285 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-285 C/C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE-285 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-285 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-285 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-285 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-285 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-285 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-285 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-285 Java/Kotlin java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE-285 Java/Kotlin java/android/implicitly-exported-component Implicitly exported Android component
CWE-285 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-285 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-285 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-285 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-285 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-285 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-285 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-285 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-285 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-285 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-285 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-285 Python py/overly-permissive-file Overly permissive file permissions
CWE-285 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-285 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-287 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-287 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-287 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-287 C# cs/password-in-configuration Password in configuration file
CWE-287 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-287 C# cs/session-reuse Failure to abandon session
CWE-287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-287 C# cs/hardcoded-credentials Hard-coded credentials
CWE-287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-287 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-287 Go go/email-injection Email content injection
CWE-287 Go go/hardcoded-credentials Hard-coded credentials
CWE-287 Go go/improper-ldap-auth Improper LDAP Authentication
CWE-287 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-287 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-287 Java/Kotlin java/android/insecure-local-key-gen Insecurely generated keys for local authentication
CWE-287 Java/Kotlin java/android/insecure-local-authentication Insecure local authentication
CWE-287 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-287 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-287 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-287 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-287 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-287 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-287 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-287 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-287 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-287 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-287 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-287 JavaScript/TypeScript js/session-fixation Failure to abandon session
CWE-287 JavaScript/TypeScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE-287 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-287 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-287 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-287 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-287 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-287 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-287 Python py/hardcoded-credentials Hard-coded credentials
CWE-287 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE-287 Python py/improper-ldap-auth Improper LDAP Authentication
CWE-287 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-287 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-287 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE-287 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-287 Swift swift/constant-password Constant password
CWE-287 Swift swift/hardcoded-key Hard-coded encryption key
CWE-290 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-290 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-290 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-290 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-290 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-290 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-290 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-290 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-295 C/C++ cpp/certificate-result-conflation Certificate result conflation
CWE-295 C/C++ cpp/certificate-not-checked Certificate not checked
CWE-295 Go go/disabled-certificate-check Disabled TLS certificate check
CWE-295 Java/Kotlin java/android/missing-certificate-pinning Android missing certificate pinning
CWE-295 Java/Kotlin java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE-295 Java/Kotlin java/insecure-trustmanager TrustManager that accepts all certificates
CWE-295 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-295 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-295 Java/Kotlin java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE-295 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-295 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-295 Java/Kotlin java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE-295 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-295 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE-295 Python py/request-without-cert-validation Request without certificate validation
CWE-295 Ruby rb/request-without-cert-validation Request without certificate validation
CWE-297 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-297 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-297 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-297 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-297 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-299 Java/Kotlin java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE-300 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-300 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-300 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-307 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-311 C/C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE-311 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-311 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-311 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-311 C/C++ cpp/non-https-url Failure to use HTTPS URLs
CWE-311 C# cs/password-in-configuration Password in configuration file
CWE-311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-311 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-311 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-311 Java/Kotlin java/android/backup-enabled Application backup allowed
CWE-311 Java/Kotlin java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE-311 Java/Kotlin java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE-311 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-311 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-311 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-311 Java/Kotlin java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE-311 Java/Kotlin java/non-https-url Failure to use HTTPS URLs
CWE-311 Java/Kotlin java/non-ssl-connection Failure to use SSL
CWE-311 Java/Kotlin java/non-ssl-socket-factory Failure to use SSL socket factories
CWE-311 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-311 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-311 Java/Kotlin java/insecure-cookie Failure to use secure cookies
CWE-311 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-311 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-311 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-311 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-311 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-311 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-311 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-311 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-311 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-311 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE-311 Python py/insecure-cookie Failure to use secure cookies
CWE-311 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-311 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-311 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-311 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE-311 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE-311 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-311 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE-312 C/C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE-312 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-312 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-312 C# cs/password-in-configuration Password in configuration file
CWE-312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-312 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-312 Java/Kotlin java/android/backup-enabled Application backup allowed
CWE-312 Java/Kotlin java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE-312 Java/Kotlin java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE-312 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-312 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-312 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-312 Java/Kotlin java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE-312 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-312 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-312 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-312 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-312 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-312 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-312 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-312 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-312 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-312 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE-312 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-312 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE-313 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-313 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-313 C# cs/password-in-configuration Password in configuration file
CWE-313 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-313 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-315 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-315 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-315 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-315 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-315 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-319 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-319 C/C++ cpp/non-https-url Failure to use HTTPS URLs
CWE-319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-319 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-319 Java/Kotlin java/non-https-url Failure to use HTTPS URLs
CWE-319 Java/Kotlin java/non-ssl-connection Failure to use SSL
CWE-319 Java/Kotlin java/non-ssl-socket-factory Failure to use SSL socket factories
CWE-319 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-319 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-319 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-319 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-319 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-319 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-319 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE-321 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-321 C# cs/hardcoded-credentials Hard-coded credentials
CWE-321 Go go/hardcoded-credentials Hard-coded credentials
CWE-321 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-321 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-321 Python py/hardcoded-credentials Hard-coded credentials
CWE-321 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-321 Swift swift/hardcoded-key Hard-coded encryption key
CWE-322 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE-326 C/C++ cpp/boost/tls-settings-misconfiguration boost::asio TLS settings misconfiguration
CWE-326 C/C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE-326 C/C++ cpp/unknown-asymmetric-key-gen-size Unknown key generation key size
CWE-326 C/C++ cpp/weak-asymmetric-key-gen-size Weak asymmetric key generation key size (< 2048 bits)
CWE-326 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE-326 Go go/weak-crypto-key Use of a weak cryptographic key
CWE-326 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE-326 Java/Kotlin java/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE-326 Java/Kotlin java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-326 Java/Kotlin java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE-326 JavaScript/TypeScript js/insufficient-key-size Use of a weak cryptographic key
CWE-326 JavaScript/TypeScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-326 Python py/weak-crypto-key Use of weak cryptographic key
CWE-326 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-326 Python py/unknown-asymmetric-key-gen-size Unknown key generation key size
CWE-326 Python py/weak-asymmetric-key-gen-size Weak key generation key size (< 2048 bits)
CWE-326 Swift swift/weak-password-hashing Use of an inappropriate cryptographic hashing algorithm on passwords
CWE-326 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-327 C/C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio use of deprecated hardcoded protocol
CWE-327 C/C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-327 C/C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE-327 C/C++ cpp/weak-block-mode Weak block mode
CWE-327 C/C++ cpp/weak-elliptic-curve Weak elliptic curve
CWE-327 C/C++ cpp/weak-crypto/banned-encryption-algorithms Weak cryptography
CWE-327 C/C++ cpp/weak-crypto/banned-hash-algorithms Weak cryptography
CWE-327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE-327 C# cs/insecure-sql-connection Insecure SQL connection
CWE-327 C# cs/ecb-encryption Encryption using ECB
CWE-327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-327 C# cs/weak-encryption Weak encryption
CWE-327 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-327 C# cs/hash-without-salt Use of a hash function without a salt
CWE-327 Go go/insecure-tls Insecure TLS configuration
CWE-327 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE-327 Java/Kotlin java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-327 Java/Kotlin java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE-327 Java/Kotlin java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE-327 Java/Kotlin java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-327 Java/Kotlin java/unsafe-tls-version Unsafe TLS version
CWE-327 Java/Kotlin java/hash-without-salt Use of a hash function without a salt
CWE-327 JavaScript/TypeScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source
CWE-327 JavaScript/TypeScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-327 JavaScript/TypeScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE-327 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-327 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE-327 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE-327 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-327 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE-327 Python py/weak-block-mode Weak block mode
CWE-327 Python py/weak-elliptic-curve Weak elliptic curve
CWE-327 Python py/weak-hashes Weak hashes
CWE-327 Python py/weak-symmetric-encryption Weak symmetric encryption algorithm
CWE-327 Ruby rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-327 Swift swift/ecb-encryption Encryption using ECB
CWE-327 Swift swift/weak-password-hashing Use of an inappropriate cryptographic hashing algorithm on passwords
CWE-327 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-327 Swift swift/constant-salt Use of constant salts
CWE-327 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE-328 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE-328 Java/Kotlin java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-328 Java/Kotlin java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE-328 JavaScript/TypeScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-328 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-328 Swift swift/weak-password-hashing Use of an inappropriate cryptographic hashing algorithm on passwords
CWE-328 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-329 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-329 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-330 C# cs/random-used-once Random used only once
CWE-330 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-330 C# cs/hardcoded-credentials Hard-coded credentials
CWE-330 C# cs/insecure-randomness Insecure randomness
CWE-330 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE-330 Go go/hardcoded-credentials Hard-coded credentials
CWE-330 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-330 Java/Kotlin java/random-used-once Random used only once
CWE-330 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-330 Java/Kotlin java/insecure-randomness Insecure randomness
CWE-330 Java/Kotlin java/predictable-seed Use of a predictable seed in a secure random number generator
CWE-330 Java/Kotlin java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE-330 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-330 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-330 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-330 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-330 JavaScript/TypeScript js/insecure-randomness Insecure randomness
CWE-330 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-330 JavaScript/TypeScript js/predictable-token Predictable token
CWE-330 Python py/hardcoded-credentials Hard-coded credentials
CWE-330 Python py/insecure-randomness Insecure randomness
CWE-330 Python py/predictable-token Predictable token
CWE-330 Ruby rb/insecure-randomness Insecure randomness
CWE-330 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-330 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-330 Swift swift/constant-password Constant password
CWE-330 Swift swift/hardcoded-key Hard-coded encryption key
CWE-335 C# cs/random-used-once Random used only once
CWE-335 Java/Kotlin java/random-used-once Random used only once
CWE-335 Java/Kotlin java/predictable-seed Use of a predictable seed in a secure random number generator
CWE-337 Java/Kotlin java/predictable-seed Use of a predictable seed in a secure random number generator
CWE-338 C# cs/insecure-randomness Insecure randomness
CWE-338 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE-338 Java/Kotlin java/insecure-randomness Insecure randomness
CWE-338 Java/Kotlin java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE-338 JavaScript/TypeScript js/insecure-randomness Insecure randomness
CWE-338 Python py/insecure-randomness Insecure randomness
CWE-338 Ruby rb/insecure-randomness Insecure randomness
CWE-340 JavaScript/TypeScript js/predictable-token Predictable token
CWE-340 Python py/predictable-token Predictable token
CWE-344 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-344 C# cs/hardcoded-credentials Hard-coded credentials
CWE-344 Go go/hardcoded-credentials Hard-coded credentials
CWE-344 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-344 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-344 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-344 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-344 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-344 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-344 Python py/hardcoded-credentials Hard-coded credentials
CWE-344 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-344 Swift swift/constant-password Constant password
CWE-344 Swift swift/hardcoded-key Hard-coded encryption key
CWE-345 C/C++ cpp/non-https-url Failure to use HTTPS URLs
CWE-345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-345 Go go/missing-jwt-signature-check Missing JWT signature check
CWE-345 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE-345 Go go/cors-misconfiguration CORS misconfiguration
CWE-345 Java/Kotlin java/missing-jwt-signature-check Missing JWT signature check
CWE-345 Java/Kotlin java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE-345 Java/Kotlin java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE-345 Java/Kotlin java/ip-address-spoofing IP address spoofing
CWE-345 Java/Kotlin java/jsonp-injection JSONP Injection
CWE-345 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-345 JavaScript/TypeScript js/jwt-missing-verification JWT missing secret or public key verification
CWE-345 JavaScript/TypeScript js/missing-token-validation Missing CSRF middleware
CWE-345 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-345 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE-345 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE-345 Python py/ip-address-spoofing IP address spoofing
CWE-345 Ruby rb/jwt-missing-verification JWT missing secret or public key verification
CWE-345 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE-345 Ruby rb/csrf-protection-not-enabled CSRF protection not enabled
CWE-346 Go go/cors-misconfiguration CORS misconfiguration
CWE-346 Java/Kotlin java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE-346 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-346 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-347 Go go/missing-jwt-signature-check Missing JWT signature check
CWE-347 Java/Kotlin java/missing-jwt-signature-check Missing JWT signature check
CWE-347 JavaScript/TypeScript js/jwt-missing-verification JWT missing secret or public key verification
CWE-347 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE-347 Ruby rb/jwt-missing-verification JWT missing secret or public key verification
CWE-348 Java/Kotlin java/ip-address-spoofing IP address spoofing
CWE-348 Python py/ip-address-spoofing IP address spoofing
CWE-350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-350 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-352 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE-352 Java/Kotlin java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE-352 Java/Kotlin java/jsonp-injection JSONP Injection
CWE-352 JavaScript/TypeScript js/missing-token-validation Missing CSRF middleware
CWE-352 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE-352 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE-352 Ruby rb/csrf-protection-not-enabled CSRF protection not enabled
CWE-359 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-359 C/C++ cpp/private-cleartext-write Exposure of private information
CWE-359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-359 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-359 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-359 JavaScript/TypeScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE-359 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-359 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-359 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-359 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-359 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-359 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-359 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-359 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-362 C/C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE-362 C/C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE-362 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE-362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE-362 Java/Kotlin java/toctou-race-condition Time-of-check time-of-use race condition
CWE-362 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-362 JavaScript/TypeScript js/file-system-race Potential file system race condition
CWE-366 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-367 C/C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE-367 Java/Kotlin java/toctou-race-condition Time-of-check time-of-use race condition
CWE-367 JavaScript/TypeScript js/file-system-race Potential file system race condition
CWE-369 C/C++ cpp/divide-by-zero-using-return-value Divide by zero using return value
CWE-369 Go go/divide-by-zero Divide by zero
CWE-377 C/C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE-377 JavaScript/TypeScript js/insecure-temporary-file Insecure temporary file
CWE-377 Python py/insecure-temporary-file Insecure temporary file
CWE-378 JavaScript/TypeScript js/insecure-temporary-file Insecure temporary file
CWE-382 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-382 Java/Kotlin java/jvm-exit Forcible JVM termination
CWE-383 Java/Kotlin java/ejb/threads EJB uses threads
CWE-384 C# cs/session-reuse Failure to abandon session
CWE-384 JavaScript/TypeScript js/session-fixation Failure to abandon session
CWE-390 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-390 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-390 Python py/empty-except Empty except
CWE-391 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-391 Java/Kotlin java/discarded-exception Discarded exception
CWE-391 Java/Kotlin java/ignored-error-status-of-call Ignored error status of call
CWE-395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-396 C# cs/catch-of-all-exceptions Generic catch clause
CWE-396 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-396 Python py/catch-base-exception Except block handles 'BaseException'
CWE-398 C/C++ cpp/unused-local-variable Unused local variable
CWE-398 C/C++ cpp/unused-static-function Unused static function
CWE-398 C/C++ cpp/unused-static-variable Unused static variable
CWE-398 C/C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE-398 C/C++ cpp/dead-code-function Function is never called
CWE-398 C/C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE-398 C/C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE-398 C/C++ cpp/missing-null-test Returned pointer not checked
CWE-398 C/C++ cpp/unused-variable Variable is assigned a value that is never read
CWE-398 C/C++ cpp/fixme-comment FIXME comment
CWE-398 C/C++ cpp/todo-comment TODO comment
CWE-398 C/C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE-398 C/C++ cpp/useless-expression Expression has no effect
CWE-398 C/C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE-398 C/C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE-398 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-398 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-398 C/C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE-398 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-398 C/C++ cpp/dangerous-function-overflow Use of dangerous function
CWE-398 C/C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE-398 C/C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE-398 C/C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE-398 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-398 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-398 C# cs/call-to-obsolete-method Call to obsolete method
CWE-398 C# cs/todo-comment TODO comment
CWE-398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-398 C# cs/unused-reftype Dead reference types
CWE-398 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-398 C# cs/unused-field Unused field
CWE-398 C# cs/unused-method Unused method
CWE-398 C# cs/useless-cast-to-self Cast to same type
CWE-398 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-398 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-398 C# cs/useless-type-test Useless type test
CWE-398 C# cs/useless-upcast Useless upcast
CWE-398 C# cs/empty-collection Container contents are never initialized
CWE-398 C# cs/unused-collection Container contents are never accessed
CWE-398 C# cs/empty-lock-statement Empty lock statement
CWE-398 C# cs/linq/useless-select Redundant Select
CWE-398 Go go/comparison-of-identical-expressions Comparison of identical values
CWE-398 Go go/useless-assignment-to-field Useless assignment to field
CWE-398 Go go/useless-assignment-to-local Useless assignment to local variable
CWE-398 Go go/duplicate-branches Duplicate 'if' branches
CWE-398 Go go/duplicate-condition Duplicate 'if' condition
CWE-398 Go go/duplicate-switch-case Duplicate switch case
CWE-398 Go go/useless-expression Expression has no effect
CWE-398 Go go/redundant-operation Identical operands
CWE-398 Go go/redundant-assignment Self assignment
CWE-398 Go go/unreachable-statement Unreachable statement
CWE-398 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-398 Java/Kotlin java/deprecated-call Deprecated method or constructor invocation
CWE-398 Java/Kotlin java/dead-class Dead class
CWE-398 Java/Kotlin java/dead-enum-constant Dead enum constant
CWE-398 Java/Kotlin java/dead-field Dead field
CWE-398 Java/Kotlin java/dead-function Dead method
CWE-398 Java/Kotlin java/lines-of-dead-code Lines of dead code in files
CWE-398 Java/Kotlin java/unused-parameter Useless parameter
CWE-398 Java/Kotlin java/useless-null-check Useless null check
CWE-398 Java/Kotlin java/useless-type-test Useless type test
CWE-398 Java/Kotlin java/useless-upcast Useless upcast
CWE-398 Java/Kotlin java/empty-container Container contents are never initialized
CWE-398 Java/Kotlin java/unused-container Container contents are never accessed
CWE-398 Java/Kotlin java/constant-comparison Useless comparison test
CWE-398 Java/Kotlin java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-398 Java/Kotlin java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE-398 Java/Kotlin java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-398 Java/Kotlin java/empty-synchronized-block Empty synchronized block
CWE-398 Java/Kotlin java/unreachable-catch-clause Unreachable catch clause
CWE-398 Java/Kotlin java/potentially-dangerous-function Use of a potentially dangerous function
CWE-398 Java/Kotlin java/todo-comment TODO/FIXME comments
CWE-398 Java/Kotlin java/unused-reference-type Unused classes and interfaces
CWE-398 Java/Kotlin java/overwritten-assignment-to-local Assigned value is overwritten
CWE-398 Java/Kotlin java/useless-assignment-to-local Useless assignment to local variable
CWE-398 Java/Kotlin java/unused-initialized-local Local variable is initialized but not used
CWE-398 Java/Kotlin java/local-variable-is-never-read Unread local variable
CWE-398 Java/Kotlin java/unused-field Unused field
CWE-398 Java/Kotlin java/unused-label Unused label
CWE-398 Java/Kotlin java/unused-local-variable Unused local variable
CWE-398 Java/Kotlin java/switch-fall-through Unterminated switch case
CWE-398 Java/Kotlin java/redundant-cast Unnecessary cast
CWE-398 Java/Kotlin java/unused-import Unnecessary import
CWE-398 JavaScript/TypeScript js/todo-comment TODO comment
CWE-398 JavaScript/TypeScript js/eval-like-call Call to eval-like DOM function
CWE-398 JavaScript/TypeScript js/variable-initialization-conflict Conflicting variable initialization
CWE-398 JavaScript/TypeScript js/function-declaration-conflict Conflicting function declarations
CWE-398 JavaScript/TypeScript js/useless-assignment-to-global Useless assignment to global variable
CWE-398 JavaScript/TypeScript js/useless-assignment-to-local Useless assignment to local variable
CWE-398 JavaScript/TypeScript js/overwritten-property Overwritten property
CWE-398 JavaScript/TypeScript js/comparison-of-identical-expressions Comparison of identical values
CWE-398 JavaScript/TypeScript js/comparison-with-nan Comparison with NaN
CWE-398 JavaScript/TypeScript js/duplicate-condition Duplicate 'if' condition
CWE-398 JavaScript/TypeScript js/duplicate-property Duplicate property
CWE-398 JavaScript/TypeScript js/duplicate-switch-case Duplicate switch case
CWE-398 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-398 JavaScript/TypeScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE-398 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-398 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-398 JavaScript/TypeScript js/call-to-non-callable Invocation of non-function
CWE-398 JavaScript/TypeScript js/property-access-on-non-object Property access on null or undefined
CWE-398 JavaScript/TypeScript js/unneeded-defensive-code Unneeded defensive code
CWE-398 JavaScript/TypeScript js/useless-type-test Useless type test
CWE-398 JavaScript/TypeScript js/eval-call Use of eval
CWE-398 JavaScript/TypeScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE-398 JavaScript/TypeScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE-398 JavaScript/TypeScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE-398 JavaScript/TypeScript js/useless-assignment-in-return Return statement assigns local variable
CWE-398 JavaScript/TypeScript js/unreachable-statement Unreachable statement
CWE-398 JavaScript/TypeScript js/trivial-conditional Useless conditional
CWE-398 Python py/unreachable-except Unreachable 'except' block
CWE-398 Python py/comparison-of-constants Comparison of constants
CWE-398 Python py/comparison-of-identical-expressions Comparison of identical values
CWE-398 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE-398 Python py/redundant-comparison Redundant comparison
CWE-398 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE-398 Python py/import-deprecated-module Import of deprecated module
CWE-398 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE-398 Python py/redundant-assignment Redundant assignment
CWE-398 Python py/ineffectual-statement Statement has no effect
CWE-398 Python py/unreachable-statement Unreachable code
CWE-398 Python py/multiple-definition Variable defined multiple times
CWE-398 Python py/unused-local-variable Unused local variable
CWE-398 Python py/unused-global-variable Unused global variable
CWE-398 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE-398 Ruby rb/unused-parameter Unused parameter.
CWE-400 C/C++ cpp/catch-missing-free Leaky catch
CWE-400 C/C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE-400 C/C++ cpp/descriptor-never-closed Open descriptor never closed
CWE-400 C/C++ cpp/file-may-not-be-closed Open file may not be closed
CWE-400 C/C++ cpp/file-never-closed Open file is not closed
CWE-400 C/C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE-400 C/C++ cpp/memory-never-freed Memory is never freed
CWE-400 C/C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE-400 C/C++ cpp/alloca-in-loop Call to alloca in a loop
CWE-400 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-400 C/C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE-400 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE-400 C# cs/regex-injection Regular expression injection
CWE-400 Go go/uncontrolled-allocation-size Slice memory allocation with excessive size value
CWE-400 Java/Kotlin java/input-resource-leak Potential input resource leak
CWE-400 Java/Kotlin java/database-resource-leak Potential database resource leak
CWE-400 Java/Kotlin java/output-resource-leak Potential output resource leak
CWE-400 Java/Kotlin java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-400 Java/Kotlin java/redos Inefficient regular expression
CWE-400 Java/Kotlin java/regex-injection Regular expression injection
CWE-400 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-400 Java/Kotlin java/local-thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE-400 Java/Kotlin java/thread-resource-abuse Uncontrolled thread resource consumption
CWE-400 JavaScript/TypeScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-400 JavaScript/TypeScript js/redos Inefficient regular expression
CWE-400 JavaScript/TypeScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE-400 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-400 JavaScript/TypeScript js/regex-injection Regular expression injection
CWE-400 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-400 JavaScript/TypeScript js/resource-exhaustion Resource exhaustion
CWE-400 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-400 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-400 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-400 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-400 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-400 JavaScript/TypeScript js/regex-injection-more-sources Regular expression injection with additional heuristic sources
CWE-400 JavaScript/TypeScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE-400 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-400 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-400 Python py/file-not-closed File is not always closed
CWE-400 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-400 Python py/redos Inefficient regular expression
CWE-400 Python py/regex-injection Regular expression injection
CWE-400 Python py/xml-bomb XML internal entity expansion
CWE-400 Python py/unicode-dos Denial of Service using Unicode Characters
CWE-400 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-400 Ruby rb/redos Inefficient regular expression
CWE-400 Ruby rb/regexp-injection Regular expression injection
CWE-400 Swift swift/redos Inefficient regular expression
CWE-400 Swift swift/regex-injection Regular expression injection
CWE-401 C/C++ cpp/catch-missing-free Leaky catch
CWE-401 C/C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE-401 C/C++ cpp/memory-never-freed Memory is never freed
CWE-401 C/C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE-401 C/C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE-404 C/C++ cpp/catch-missing-free Leaky catch
CWE-404 C/C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE-404 C/C++ cpp/descriptor-never-closed Open descriptor never closed
CWE-404 C/C++ cpp/file-may-not-be-closed Open file may not be closed
CWE-404 C/C++ cpp/file-never-closed Open file is not closed
CWE-404 C/C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE-404 C/C++ cpp/memory-never-freed Memory is never freed
CWE-404 C/C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE-404 C/C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE-404 C/C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE-404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-404 C# cs/member-not-disposed Missing Dispose call
CWE-404 C# cs/missing-dispose-method Missing Dispose method
CWE-404 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-404 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-404 Java/Kotlin java/input-resource-leak Potential input resource leak
CWE-404 Java/Kotlin java/database-resource-leak Potential database resource leak
CWE-404 Java/Kotlin java/output-resource-leak Potential output resource leak
CWE-404 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-404 Java/Kotlin java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE-404 Python py/file-not-closed File is not always closed
CWE-405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-405 C# cs/insecure-xml-read XML is read insecurely
CWE-405 Go go/uncontrolled-file-decompression Uncontrolled file decompression
CWE-405 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-405 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-405 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-405 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-405 Python py/xml-bomb XML internal entity expansion
CWE-405 Python py/decompression-bomb Decompression Bomb
CWE-405 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-405 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE-405 Ruby rb/xxe XML external entity expansion
CWE-405 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-409 C# cs/insecure-xml-read XML is read insecurely
CWE-409 Go go/uncontrolled-file-decompression Uncontrolled file decompression
CWE-409 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-409 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-409 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-409 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-409 Python py/xml-bomb XML internal entity expansion
CWE-409 Python py/decompression-bomb Decompression Bomb
CWE-409 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-409 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE-409 Ruby rb/xxe XML external entity expansion
CWE-409 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-413 Java/Kotlin java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE-415 C/C++ cpp/double-free Potential double free
CWE-415 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-415 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-416 C/C++ cpp/use-after-free Potential use after free
CWE-416 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-416 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-416 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-416 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-420 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-421 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-428 C/C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE-434 C# cs/web/file-upload Use of file upload
CWE-434 JavaScript/TypeScript js/http-to-file-access Network data written to file
CWE-434 Ruby rb/http-to-file-access Network data written to file
CWE-435 C/C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE-435 JavaScript/TypeScript js/insecure-http-parser Insecure http parser
CWE-436 JavaScript/TypeScript js/insecure-http-parser Insecure http parser
CWE-441 C# cs/request-forgery Server-side request forgery
CWE-441 Go go/request-forgery Uncontrolled data used in network request
CWE-441 Go go/ssrf Uncontrolled data used in network request
CWE-441 Java/Kotlin java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE-441 Java/Kotlin java/ssrf Server-side request forgery
CWE-441 JavaScript/TypeScript js/client-side-request-forgery Client-side request forgery
CWE-441 JavaScript/TypeScript js/request-forgery Server-side request forgery
CWE-441 JavaScript/TypeScript javascript/ssrf Uncontrolled data used in network request
CWE-441 Python py/full-ssrf Full server-side request forgery
CWE-441 Python py/partial-ssrf Partial server-side request forgery
CWE-441 Ruby rb/request-forgery Server-side request forgery
CWE-444 JavaScript/TypeScript js/insecure-http-parser Insecure http parser
CWE-451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-451 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-454 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-456 C/C++ cpp/initialization-not-run Initialization code not run
CWE-457 C/C++ cpp/global-use-before-init Global variable may be used before initialization
CWE-457 C/C++ cpp/not-initialised Variable not initialized before use
CWE-457 C/C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE-457 C/C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE-457 C# cs/unassigned-field Field is never assigned a non-default value
CWE-457 Java/Kotlin java/unassigned-field Field is never assigned a non-null value
CWE-459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-459 C# cs/member-not-disposed Missing Dispose call
CWE-459 C# cs/missing-dispose-method Missing Dispose method
CWE-459 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-459 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-459 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-460 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-467 C/C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE-468 C/C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE-468 C/C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE-468 C/C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE-468 C/C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE-470 Java/Kotlin java/android/fragment-injection Android fragment injection
CWE-470 Java/Kotlin java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE-470 Java/Kotlin java/android/unsafe-reflection Load 3rd party classes or code ('unsafe reflection') without signature check
CWE-470 Java/Kotlin java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE-471 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-471 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-471 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-471 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-471 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-472 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-476 C/C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE-476 C/C++ cpp/missing-null-test Returned pointer not checked
CWE-476 C/C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE-476 C/C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE-476 C/C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE-476 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-476 Java/Kotlin java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-476 Java/Kotlin java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE-476 Java/Kotlin java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-476 JavaScript/TypeScript js/call-to-non-callable Invocation of non-function
CWE-476 JavaScript/TypeScript js/property-access-on-non-object Property access on null or undefined
CWE-477 C# cs/call-to-obsolete-method Call to obsolete method
CWE-477 Java/Kotlin java/deprecated-call Deprecated method or constructor invocation
CWE-477 Python py/import-deprecated-module Import of deprecated module
CWE-478 C/C++ cpp/missing-case-in-switch Missing enum case in switch
CWE-478 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-478 Java/Kotlin java/missing-default-in-switch Missing default case in switch
CWE-478 Java/Kotlin java/missing-case-in-switch Missing enum case in switch
CWE-480 C/C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE-480 C/C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE-480 C/C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE-480 C/C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE-480 C/C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE-480 C/C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE-480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-480 Go go/useless-expression Expression has no effect
CWE-480 Go go/redundant-operation Identical operands
CWE-480 Go go/redundant-assignment Self assignment
CWE-480 Java/Kotlin java/assignment-in-boolean-expression Assignment in Boolean expression
CWE-480 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-480 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-480 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-480 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-480 JavaScript/TypeScript js/deletion-of-non-property Deleting non-property
CWE-481 C/C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE-481 Java/Kotlin java/assignment-in-boolean-expression Assignment in Boolean expression
CWE-482 C/C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE-483 JavaScript/TypeScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE-483 JavaScript/TypeScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE-484 Java/Kotlin java/switch-fall-through Unterminated switch case
CWE-485 C# cs/class-name-comparison Erroneous class compare
CWE-485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE-485 C# cs/expose-implementation Exposing internal representation
CWE-485 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-485 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-485 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-485 Java/Kotlin java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE-485 Java/Kotlin java/android/webview-debugging-enabled Android Webview debugging enabled
CWE-485 Java/Kotlin java/trust-boundary-violation Trust boundary violation
CWE-485 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-485 Java/Kotlin java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE-485 Java/Kotlin java/internal-representation-exposure Exposing internal representation
CWE-485 Java/Kotlin java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE-485 Java/Kotlin java/main-method-in-web-components Main Method in Java EE Web Components
CWE-485 Java/Kotlin java/struts-development-mode Apache Struts development mode enabled
CWE-485 JavaScript/TypeScript js/alert-call Invocation of alert
CWE-485 JavaScript/TypeScript js/debugger-statement Use of debugger statement
CWE-485 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-485 Python py/flask-debug Flask app is run in debug mode
CWE-485 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-485 Swift swift/unsafe-js-eval JavaScript Injection
CWE-486 C# cs/class-name-comparison Erroneous class compare
CWE-489 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-489 Java/Kotlin java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE-489 Java/Kotlin java/android/webview-debugging-enabled Android Webview debugging enabled
CWE-489 Java/Kotlin java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE-489 Java/Kotlin java/main-method-in-web-components Main Method in Java EE Web Components
CWE-489 Java/Kotlin java/struts-development-mode Apache Struts development mode enabled
CWE-489 JavaScript/TypeScript js/alert-call Invocation of alert
CWE-489 JavaScript/TypeScript js/debugger-statement Use of debugger statement
CWE-489 Python py/flask-debug Flask app is run in debug mode
CWE-494 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-494 JavaScript/TypeScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE-494 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-494 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-497 C/C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE-497 C/C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE-497 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-497 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-497 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-497 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-497 Python py/stack-trace-exposure Information exposure through an exception
CWE-497 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-499 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-501 Java/Kotlin java/trust-boundary-violation Trust boundary violation
CWE-502 C# cs/deserialized-delegate Deserialized delegate
CWE-502 C# cs/unsafe-deserialization Unsafe deserializer
CWE-502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-502 Java/Kotlin java/unsafe-deserialization Deserialization of user-controlled data
CWE-502 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-502 Java/Kotlin java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE-502 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE-502 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE-502 JavaScript/TypeScript js/unsafe-deserialization Deserialization of user-controlled data
CWE-502 JavaScript/TypeScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE-502 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE-502 Ruby rb/unsafe-unsafeyamldeserialization Deserialization of user-controlled yaml data
CWE-502 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE-506 JavaScript/TypeScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-506 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-521 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-521 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-522 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-522 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-522 C# cs/password-in-configuration Password in configuration file
CWE-522 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-522 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-522 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-522 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-522 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-522 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-522 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-523 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-524 Java/Kotlin java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE-532 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-532 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-532 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-532 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-532 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-532 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-532 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-538 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-538 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-538 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-538 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-538 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-538 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-538 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-538 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-538 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-538 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-539 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-543 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-546 C/C++ cpp/fixme-comment FIXME comment
CWE-546 C/C++ cpp/todo-comment TODO comment
CWE-546 C# cs/todo-comment TODO comment
CWE-546 Java/Kotlin java/todo-comment TODO/FIXME comments
CWE-546 JavaScript/TypeScript js/todo-comment TODO comment
CWE-548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-548 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-548 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-552 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-552 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-552 Java/Kotlin java/unvalidated-url-forward URL forward from a remote source
CWE-552 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-552 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-552 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-552 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-552 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-552 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-552 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-555 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-555 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-560 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-561 C/C++ cpp/unused-static-function Unused static function
CWE-561 C/C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE-561 C/C++ cpp/dead-code-function Function is never called
CWE-561 C/C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE-561 C/C++ cpp/useless-expression Expression has no effect
CWE-561 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-561 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-561 C# cs/unused-reftype Dead reference types
CWE-561 C# cs/unused-field Unused field
CWE-561 C# cs/unused-method Unused method
CWE-561 C# cs/useless-cast-to-self Cast to same type
CWE-561 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-561 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-561 C# cs/useless-type-test Useless type test
CWE-561 C# cs/useless-upcast Useless upcast
CWE-561 C# cs/empty-collection Container contents are never initialized
CWE-561 C# cs/unused-collection Container contents are never accessed
CWE-561 C# cs/linq/useless-select Redundant Select
CWE-561 Go go/comparison-of-identical-expressions Comparison of identical values
CWE-561 Go go/duplicate-branches Duplicate 'if' branches
CWE-561 Go go/duplicate-condition Duplicate 'if' condition
CWE-561 Go go/duplicate-switch-case Duplicate switch case
CWE-561 Go go/useless-expression Expression has no effect
CWE-561 Go go/redundant-operation Identical operands
CWE-561 Go go/redundant-assignment Self assignment
CWE-561 Go go/unreachable-statement Unreachable statement
CWE-561 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-561 Java/Kotlin java/dead-class Dead class
CWE-561 Java/Kotlin java/dead-enum-constant Dead enum constant
CWE-561 Java/Kotlin java/dead-field Dead field
CWE-561 Java/Kotlin java/dead-function Dead method
CWE-561 Java/Kotlin java/lines-of-dead-code Lines of dead code in files
CWE-561 Java/Kotlin java/unused-parameter Useless parameter
CWE-561 Java/Kotlin java/useless-null-check Useless null check
CWE-561 Java/Kotlin java/useless-type-test Useless type test
CWE-561 Java/Kotlin java/useless-upcast Useless upcast
CWE-561 Java/Kotlin java/empty-container Container contents are never initialized
CWE-561 Java/Kotlin java/unused-container Container contents are never accessed
CWE-561 Java/Kotlin java/constant-comparison Useless comparison test
CWE-561 Java/Kotlin java/unreachable-catch-clause Unreachable catch clause
CWE-561 Java/Kotlin java/unused-reference-type Unused classes and interfaces
CWE-561 Java/Kotlin java/useless-assignment-to-local Useless assignment to local variable
CWE-561 Java/Kotlin java/local-variable-is-never-read Unread local variable
CWE-561 Java/Kotlin java/unused-field Unused field
CWE-561 Java/Kotlin java/unused-label Unused label
CWE-561 Java/Kotlin java/redundant-cast Unnecessary cast
CWE-561 Java/Kotlin java/unused-import Unnecessary import
CWE-561 JavaScript/TypeScript js/comparison-of-identical-expressions Comparison of identical values
CWE-561 JavaScript/TypeScript js/comparison-with-nan Comparison with NaN
CWE-561 JavaScript/TypeScript js/duplicate-condition Duplicate 'if' condition
CWE-561 JavaScript/TypeScript js/duplicate-switch-case Duplicate switch case
CWE-561 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-561 JavaScript/TypeScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE-561 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-561 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-561 JavaScript/TypeScript js/unneeded-defensive-code Unneeded defensive code
CWE-561 JavaScript/TypeScript js/useless-type-test Useless type test
CWE-561 JavaScript/TypeScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE-561 JavaScript/TypeScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE-561 JavaScript/TypeScript js/unreachable-statement Unreachable statement
CWE-561 JavaScript/TypeScript js/trivial-conditional Useless conditional
CWE-561 Python py/unreachable-except Unreachable 'except' block
CWE-561 Python py/comparison-of-constants Comparison of constants
CWE-561 Python py/comparison-of-identical-expressions Comparison of identical values
CWE-561 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE-561 Python py/redundant-comparison Redundant comparison
CWE-561 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE-561 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE-561 Python py/ineffectual-statement Statement has no effect
CWE-561 Python py/unreachable-statement Unreachable code
CWE-563 C/C++ cpp/unused-local-variable Unused local variable
CWE-563 C/C++ cpp/unused-static-variable Unused static variable
CWE-563 C/C++ cpp/unused-variable Variable is assigned a value that is never read
CWE-563 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-563 Go go/useless-assignment-to-field Useless assignment to field
CWE-563 Go go/useless-assignment-to-local Useless assignment to local variable
CWE-563 Java/Kotlin java/overwritten-assignment-to-local Assigned value is overwritten
CWE-563 Java/Kotlin java/unused-initialized-local Local variable is initialized but not used
CWE-563 Java/Kotlin java/unused-local-variable Unused local variable
CWE-563 JavaScript/TypeScript js/variable-initialization-conflict Conflicting variable initialization
CWE-563 JavaScript/TypeScript js/function-declaration-conflict Conflicting function declarations
CWE-563 JavaScript/TypeScript js/useless-assignment-to-global Useless assignment to global variable
CWE-563 JavaScript/TypeScript js/useless-assignment-to-local Useless assignment to local variable
CWE-563 JavaScript/TypeScript js/overwritten-property Overwritten property
CWE-563 JavaScript/TypeScript js/duplicate-property Duplicate property
CWE-563 JavaScript/TypeScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE-563 JavaScript/TypeScript js/useless-assignment-in-return Return statement assigns local variable
CWE-563 Python py/redundant-assignment Redundant assignment
CWE-563 Python py/multiple-definition Variable defined multiple times
CWE-563 Python py/unused-local-variable Unused local variable
CWE-563 Python py/unused-global-variable Unused global variable
CWE-563 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE-563 Ruby rb/unused-parameter Unused parameter.
CWE-564 Java/Kotlin java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE-564 Java/Kotlin java/sql-injection Query built from user-controlled sources
CWE-564 Java/Kotlin java/sql-injection-local Query built from local-user-controlled sources
CWE-567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-568 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-568 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-570 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-570 Go go/comparison-of-identical-expressions Comparison of identical values
CWE-570 Java/Kotlin java/constant-comparison Useless comparison test
CWE-570 JavaScript/TypeScript js/comparison-of-identical-expressions Comparison of identical values
CWE-570 JavaScript/TypeScript js/comparison-with-nan Comparison with NaN
CWE-570 JavaScript/TypeScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE-570 JavaScript/TypeScript js/unneeded-defensive-code Unneeded defensive code
CWE-570 JavaScript/TypeScript js/useless-type-test Useless type test
CWE-570 JavaScript/TypeScript js/trivial-conditional Useless conditional
CWE-570 Python py/comparison-of-constants Comparison of constants
CWE-570 Python py/comparison-of-identical-expressions Comparison of identical values
CWE-570 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE-570 Python py/redundant-comparison Redundant comparison
CWE-570 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE-571 Go go/comparison-of-identical-expressions Comparison of identical values
CWE-571 Java/Kotlin java/constant-comparison Useless comparison test
CWE-571 JavaScript/TypeScript js/comparison-of-identical-expressions Comparison of identical values
CWE-571 JavaScript/TypeScript js/comparison-with-nan Comparison with NaN
CWE-571 JavaScript/TypeScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE-571 JavaScript/TypeScript js/unneeded-defensive-code Unneeded defensive code
CWE-571 JavaScript/TypeScript js/useless-type-test Useless type test
CWE-571 JavaScript/TypeScript js/trivial-conditional Useless conditional
CWE-571 Python py/comparison-of-constants Comparison of constants
CWE-571 Python py/comparison-of-identical-expressions Comparison of identical values
CWE-571 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE-571 Python py/redundant-comparison Redundant comparison
CWE-571 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE-572 Java/Kotlin java/call-to-thread-run Direct call to a run() method
CWE-573 C/C++ cpp/double-free Potential double free
CWE-573 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-573 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-573 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-573 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-573 C/C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE-573 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-573 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-573 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-573 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-573 C/C++ cpp/twice-locked Mutex locked twice
CWE-573 C/C++ cpp/unreleased-lock Lock may not be released
CWE-573 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-573 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-573 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-573 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-573 C/C++ cpp/double-release Errors When Double Release
CWE-573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-573 C# cs/invalid-dynamic-call Bad dynamic call
CWE-573 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-573 Java/Kotlin java/ejb/file-io EJB uses file input/output
CWE-573 Java/Kotlin java/ejb/graphics EJB uses graphics
CWE-573 Java/Kotlin java/ejb/native-code EJB uses native code
CWE-573 Java/Kotlin java/ejb/reflection EJB uses reflection
CWE-573 Java/Kotlin java/ejb/security-configuration-access EJB accesses security configuration
CWE-573 Java/Kotlin java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE-573 Java/Kotlin java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE-573 Java/Kotlin java/ejb/server-socket EJB uses server socket
CWE-573 Java/Kotlin java/ejb/non-final-static-field EJB uses non-final static field
CWE-573 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-573 Java/Kotlin java/ejb/this EJB uses 'this' as argument or result
CWE-573 Java/Kotlin java/ejb/threads EJB uses threads
CWE-573 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-573 Java/Kotlin java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE-573 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-573 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-573 Java/Kotlin java/missing-format-argument Missing format argument
CWE-573 Java/Kotlin java/unused-format-argument Unused format argument
CWE-573 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-573 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-573 JavaScript/TypeScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE-573 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE-573 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE-573 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE-573 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE-573 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE-573 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE-573 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE-573 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-574 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-575 Java/Kotlin java/ejb/graphics EJB uses graphics
CWE-576 Java/Kotlin java/ejb/file-io EJB uses file input/output
CWE-577 Java/Kotlin java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE-577 Java/Kotlin java/ejb/server-socket EJB uses server socket
CWE-578 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-580 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-581 Java/Kotlin java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE-581 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE-582 C# cs/static-array Array constant vulnerable to change
CWE-582 Java/Kotlin java/static-array Array constant vulnerable to change
CWE-584 Java/Kotlin java/abnormal-finally-completion Finally block may not complete normally
CWE-584 JavaScript/TypeScript js/exit-from-finally Jump from finally
CWE-584 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE-585 C# cs/empty-lock-statement Empty lock statement
CWE-585 Java/Kotlin java/empty-synchronized-block Empty synchronized block
CWE-592 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-592 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-592 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-592 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-592 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-592 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-592 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-592 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-595 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE-595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE-595 Java/Kotlin java/reference-equality-with-object Reference equality test on java.lang.Object
CWE-595 Java/Kotlin java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE-595 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-597 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-598 Java/Kotlin java/sensitive-query-with-get Sensitive GET Query
CWE-598 JavaScript/TypeScript js/sensitive-get-query Sensitive data read from GET request
CWE-598 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE-600 Java/Kotlin java/uncaught-servlet-exception Uncaught Servlet Exception
CWE-601 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-601 Go go/bad-redirect-check Bad redirect check
CWE-601 Go go/unvalidated-url-redirection Open URL redirect
CWE-601 Java/Kotlin java/unvalidated-url-redirection URL redirection from remote source
CWE-601 Java/Kotlin java/unvalidated-url-redirection-local URL redirection from local source
CWE-601 Java/Kotlin java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE-601 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-601 JavaScript/TypeScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE-601 Python py/url-redirection URL redirection from remote source
CWE-601 Ruby rb/url-redirection URL redirection from remote source
CWE-609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-609 Java/Kotlin java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE-609 Java/Kotlin java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE-609 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-610 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-610 C/C++ cpp/external-entity-expansion XML external entity expansion
CWE-610 C# cs/path-injection Uncontrolled data used in path expression
CWE-610 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-610 C# cs/insecure-xml-read XML is read insecurely
CWE-610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-610 C# cs/request-forgery Server-side request forgery
CWE-610 Go go/path-injection Uncontrolled data used in path expression
CWE-610 Go go/bad-redirect-check Bad redirect check
CWE-610 Go go/unvalidated-url-redirection Open URL redirect
CWE-610 Go go/request-forgery Uncontrolled data used in network request
CWE-610 Go go/ssrf Uncontrolled data used in network request
CWE-610 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-610 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-610 Java/Kotlin java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE-610 Java/Kotlin java/android/fragment-injection Android fragment injection
CWE-610 Java/Kotlin java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE-610 Java/Kotlin java/unvalidated-url-redirection URL redirection from remote source
CWE-610 Java/Kotlin java/unvalidated-url-redirection-local URL redirection from local source
CWE-610 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-610 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-610 Java/Kotlin java/ssrf Server-side request forgery
CWE-610 Java/Kotlin java/file-path-injection File Path Injection
CWE-610 Java/Kotlin java/android/unsafe-reflection Load 3rd party classes or code ('unsafe reflection') without signature check
CWE-610 Java/Kotlin java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE-610 Java/Kotlin java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE-610 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-610 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-610 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-610 JavaScript/TypeScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE-610 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-610 JavaScript/TypeScript js/client-side-request-forgery Client-side request forgery
CWE-610 JavaScript/TypeScript js/request-forgery Server-side request forgery
CWE-610 JavaScript/TypeScript javascript/ssrf Uncontrolled data used in network request
CWE-610 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-610 Python py/path-injection Uncontrolled data used in path expression
CWE-610 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-610 Python py/url-redirection URL redirection from remote source
CWE-610 Python py/xxe XML external entity expansion
CWE-610 Python py/full-ssrf Full server-side request forgery
CWE-610 Python py/partial-ssrf Partial server-side request forgery
CWE-610 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-610 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-610 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-610 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-610 Ruby rb/url-redirection URL redirection from remote source
CWE-610 Ruby rb/xxe XML external entity expansion
CWE-610 Ruby rb/request-forgery Server-side request forgery
CWE-610 Swift swift/path-injection Uncontrolled data used in path expression
CWE-610 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-611 C/C++ cpp/external-entity-expansion XML external entity expansion
CWE-611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-611 C# cs/insecure-xml-read XML is read insecurely
CWE-611 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-611 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-611 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-611 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-611 Python py/xxe XML external entity expansion
CWE-611 Ruby rb/xxe XML external entity expansion
CWE-611 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-614 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-614 Java/Kotlin java/insecure-cookie Failure to use secure cookies
CWE-614 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-614 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE-614 Python py/insecure-cookie Failure to use secure cookies
CWE-625 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-625 JavaScript/TypeScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE-628 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-628 C/C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE-628 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-628 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-628 C# cs/invalid-dynamic-call Bad dynamic call
CWE-628 Java/Kotlin java/missing-format-argument Missing format argument
CWE-628 Java/Kotlin java/unused-format-argument Unused format argument
CWE-628 JavaScript/TypeScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE-628 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE-628 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE-628 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE-628 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE-628 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE-628 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE-639 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-639 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-639 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-640 Go go/email-injection Email content injection
CWE-640 JavaScript/TypeScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE-642 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-642 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-642 C# cs/path-injection Uncontrolled data used in path expression
CWE-642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-642 Go go/path-injection Uncontrolled data used in path expression
CWE-642 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-642 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-642 Java/Kotlin java/file-path-injection File Path Injection
CWE-642 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-642 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-642 Python py/path-injection Uncontrolled data used in path expression
CWE-642 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-642 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-642 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-642 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-642 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-642 Swift swift/path-injection Uncontrolled data used in path expression
CWE-643 C# cs/xml/xpath-injection XPath injection
CWE-643 Go go/xml/xpath-injection XPath injection
CWE-643 Java/Kotlin java/xml/xpath-injection XPath injection
CWE-643 JavaScript/TypeScript js/xpath-injection XPath injection
CWE-643 JavaScript/TypeScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE-643 Python py/xpath-injection XPath query built from user-controlled sources
CWE-643 Python py/xslt-injection XSLT query built from user-controlled sources
CWE-643 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE-652 Java/Kotlin java/xquery-injection XQuery query built from user-controlled sources
CWE-657 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-657 C# cs/hardcoded-credentials Hard-coded credentials
CWE-657 Go go/hardcoded-credentials Hard-coded credentials
CWE-657 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-657 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-657 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-657 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-657 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-657 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-657 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-657 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-657 Python py/hardcoded-credentials Hard-coded credentials
CWE-657 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-657 Swift swift/constant-password Constant password
CWE-657 Swift swift/hardcoded-key Hard-coded encryption key
CWE-662 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-662 C/C++ cpp/twice-locked Mutex locked twice
CWE-662 C/C++ cpp/unreleased-lock Lock may not be released
CWE-662 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-662 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-662 C# cs/locked-wait A lock is held during a wait
CWE-662 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-662 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-662 Java/Kotlin java/wait-on-condition-interface Wait on condition
CWE-662 Java/Kotlin java/call-to-thread-run Direct call to a run() method
CWE-662 Java/Kotlin java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE-662 Java/Kotlin java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE-662 Java/Kotlin java/unsafe-sync-on-field Futile synchronization on field
CWE-662 Java/Kotlin java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE-662 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-662 Java/Kotlin java/non-sync-override Non-synchronized override of synchronized method
CWE-662 Java/Kotlin java/notify-instead-of-notify-all notify instead of notifyAll
CWE-662 Java/Kotlin java/sleep-with-lock-held Sleep with lock held
CWE-662 Java/Kotlin java/sync-on-boxed-types Synchronization on boxed types or strings
CWE-662 Java/Kotlin java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE-662 Java/Kotlin java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE-662 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-662 Java/Kotlin java/wait-with-two-locks Wait with two locks held
CWE-662 Java/Kotlin java/lock-order-inconsistency Lock order inconsistency
CWE-664 C/C++ cpp/catch-missing-free Leaky catch
CWE-664 C/C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE-664 C/C++ cpp/descriptor-never-closed Open descriptor never closed
CWE-664 C/C++ cpp/double-free Potential double free
CWE-664 C/C++ cpp/file-may-not-be-closed Open file may not be closed
CWE-664 C/C++ cpp/file-never-closed Open file is not closed
CWE-664 C/C++ cpp/global-use-before-init Global variable may be used before initialization
CWE-664 C/C++ cpp/initialization-not-run Initialization code not run
CWE-664 C/C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE-664 C/C++ cpp/memory-never-freed Memory is never freed
CWE-664 C/C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE-664 C/C++ cpp/not-initialised Variable not initialized before use
CWE-664 C/C++ cpp/use-after-free Potential use after free
CWE-664 C/C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE-664 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-664 C/C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE-664 C/C++ cpp/alloca-in-loop Call to alloca in a loop
CWE-664 C/C++ cpp/improper-null-termination Potential improper null termination
CWE-664 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-664 C/C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE-664 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-664 C/C++ cpp/self-assignment-check Self assignment check
CWE-664 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-664 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-664 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-664 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-664 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-664 C/C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE-664 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-664 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-664 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-664 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-664 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-664 C/C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE-664 C/C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE-664 C/C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE-664 C/C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE-664 C/C++ cpp/external-entity-expansion XML external entity expansion
CWE-664 C/C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE-664 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-664 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-664 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-664 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-664 C/C++ cpp/twice-locked Mutex locked twice
CWE-664 C/C++ cpp/unreleased-lock Lock may not be released
CWE-664 C/C++ cpp/type-confusion Type confusion
CWE-664 C/C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE-664 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-664 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-664 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-664 C/C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE-664 C/C++ cpp/private-cleartext-write Exposure of private information
CWE-664 C/C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE-664 C/C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE-664 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-664 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-664 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-664 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-664 C/C++ cpp/double-release Errors When Double Release
CWE-664 C/C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE-664 C/C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE-664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-664 C# cs/member-not-disposed Missing Dispose call
CWE-664 C# cs/missing-dispose-method Missing Dispose method
CWE-664 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-664 C# cs/class-name-comparison Erroneous class compare
CWE-664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE-664 C# cs/expose-implementation Exposing internal representation
CWE-664 C# cs/static-array Array constant vulnerable to change
CWE-664 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-664 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-664 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-664 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-664 C# cs/locked-wait A lock is held during a wait
CWE-664 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-664 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-664 C# cs/password-in-configuration Password in configuration file
CWE-664 C# cs/unassigned-field Field is never assigned a non-default value
CWE-664 C# cs/web/file-upload Use of file upload
CWE-664 C# cs/catch-of-all-exceptions Generic catch clause
CWE-664 C# cs/loss-of-precision Possible loss of precision
CWE-664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-664 C# cs/path-injection Uncontrolled data used in path expression
CWE-664 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 C# cs/code-injection Improper control of generation of code
CWE-664 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-664 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-664 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-664 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-664 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-664 C# cs/session-reuse Failure to abandon session
CWE-664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-664 C# cs/deserialized-delegate Deserialized delegate
CWE-664 C# cs/unsafe-deserialization Unsafe deserializer
CWE-664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-664 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-664 C# cs/insecure-xml-read XML is read insecurely
CWE-664 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-664 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE-664 C# cs/regex-injection Regular expression injection
CWE-664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-664 C# cs/hardcoded-credentials Hard-coded credentials
CWE-664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-664 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-664 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-664 C# cs/request-forgery Server-side request forgery
CWE-664 Go go/shift-out-of-range Shift out of range
CWE-664 Go go/path-injection Uncontrolled data used in path expression
CWE-664 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE-664 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 Go go/unsafe-quoting Potentially unsafe quoting
CWE-664 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-664 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-664 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE-664 Go go/bad-redirect-check Bad redirect check
CWE-664 Go go/unvalidated-url-redirection Open URL redirect
CWE-664 Go go/email-injection Email content injection
CWE-664 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE-664 Go go/uncontrolled-allocation-size Slice memory allocation with excessive size value
CWE-664 Go go/hardcoded-credentials Hard-coded credentials
CWE-664 Go go/request-forgery Uncontrolled data used in network request
CWE-664 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE-664 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-664 Go go/improper-ldap-auth Improper LDAP Authentication
CWE-664 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-664 Go go/uncontrolled-file-decompression Uncontrolled file decompression
CWE-664 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-664 Go go/ssrf Uncontrolled data used in network request
CWE-664 Go go/cors-misconfiguration CORS misconfiguration
CWE-664 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-664 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-664 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-664 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-664 Java/Kotlin java/wait-on-condition-interface Wait on condition
CWE-664 Java/Kotlin java/call-to-thread-run Direct call to a run() method
CWE-664 Java/Kotlin java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE-664 Java/Kotlin java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE-664 Java/Kotlin java/unsafe-sync-on-field Futile synchronization on field
CWE-664 Java/Kotlin java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE-664 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-664 Java/Kotlin java/non-sync-override Non-synchronized override of synchronized method
CWE-664 Java/Kotlin java/notify-instead-of-notify-all notify instead of notifyAll
CWE-664 Java/Kotlin java/sleep-with-lock-held Sleep with lock held
CWE-664 Java/Kotlin java/sync-on-boxed-types Synchronization on boxed types or strings
CWE-664 Java/Kotlin java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE-664 Java/Kotlin java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE-664 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-664 Java/Kotlin java/wait-with-two-locks Wait with two locks held
CWE-664 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-664 Java/Kotlin java/input-resource-leak Potential input resource leak
CWE-664 Java/Kotlin java/database-resource-leak Potential database resource leak
CWE-664 Java/Kotlin java/output-resource-leak Potential output resource leak
CWE-664 Java/Kotlin java/impossible-array-cast Impossible array cast
CWE-664 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-664 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-664 Java/Kotlin java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 Java/Kotlin java/partial-path-traversal Partial path traversal vulnerability
CWE-664 Java/Kotlin java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE-664 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-664 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-664 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-664 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-664 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-664 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-664 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-664 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-664 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-664 Java/Kotlin java/android/sensitive-notification Exposure of sensitive information to notifications
CWE-664 Java/Kotlin java/android/sensitive-text Exposure of sensitive information to UI text views
CWE-664 Java/Kotlin java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE-664 Java/Kotlin java/android/websettings-file-access Android WebSettings file access
CWE-664 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-664 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-664 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-664 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-664 Java/Kotlin java/android/insecure-local-key-gen Insecurely generated keys for local authentication
CWE-664 Java/Kotlin java/android/insecure-local-authentication Insecure local authentication
CWE-664 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-664 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-664 Java/Kotlin java/android/backup-enabled Application backup allowed
CWE-664 Java/Kotlin java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE-664 Java/Kotlin java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE-664 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-664 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-664 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-664 Java/Kotlin java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE-664 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-664 Java/Kotlin java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE-664 Java/Kotlin java/android/fragment-injection Android fragment injection
CWE-664 Java/Kotlin java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE-664 Java/Kotlin java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE-664 Java/Kotlin java/android/webview-debugging-enabled Android Webview debugging enabled
CWE-664 Java/Kotlin java/trust-boundary-violation Trust boundary violation
CWE-664 Java/Kotlin java/unsafe-deserialization Deserialization of user-controlled data
CWE-664 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-664 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-664 Java/Kotlin java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE-664 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-664 Java/Kotlin java/unvalidated-url-forward URL forward from a remote source
CWE-664 Java/Kotlin java/unvalidated-url-redirection URL redirection from remote source
CWE-664 Java/Kotlin java/unvalidated-url-redirection-local URL redirection from local source
CWE-664 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-664 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-664 Java/Kotlin java/tainted-numeric-cast User-controlled data in numeric cast
CWE-664 Java/Kotlin java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE-664 Java/Kotlin java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-664 Java/Kotlin java/redos Inefficient regular expression
CWE-664 Java/Kotlin java/regex-injection Regular expression injection
CWE-664 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-664 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-664 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-664 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-664 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-664 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-664 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-664 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-664 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-664 Java/Kotlin java/lock-order-inconsistency Lock order inconsistency
CWE-664 Java/Kotlin java/ssrf Server-side request forgery
CWE-664 Java/Kotlin java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE-664 Java/Kotlin java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE-664 Java/Kotlin java/android/implicitly-exported-component Implicitly exported Android component
CWE-664 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-664 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-664 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-664 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-664 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-664 Java/Kotlin java/unassigned-field Field is never assigned a non-null value
CWE-664 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-664 Java/Kotlin java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE-664 Java/Kotlin java/internal-representation-exposure Exposing internal representation
CWE-664 Java/Kotlin java/static-array Array constant vulnerable to change
CWE-664 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-664 Java/Kotlin java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE-664 Java/Kotlin java/file-path-injection File Path Injection
CWE-664 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-664 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-664 Java/Kotlin java/jshell-injection JShell injection
CWE-664 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-664 Java/Kotlin java/jython-injection Injection in Jython
CWE-664 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-664 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-664 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-664 Java/Kotlin java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE-664 Java/Kotlin java/sensitive-android-file-leak Leaking sensitive Android file
CWE-664 Java/Kotlin java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE-664 Java/Kotlin java/timing-attack-against-headers-value Timing attack against header value
CWE-664 Java/Kotlin java/timing-attack-against-signature Timing attack against signature validation
CWE-664 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-664 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-664 Java/Kotlin java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE-664 Java/Kotlin java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE-664 Java/Kotlin java/local-thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE-664 Java/Kotlin java/thread-resource-abuse Uncontrolled thread resource consumption
CWE-664 Java/Kotlin java/android/unsafe-reflection Load 3rd party classes or code ('unsafe reflection') without signature check
CWE-664 Java/Kotlin java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE-664 Java/Kotlin java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE-664 Java/Kotlin java/main-method-in-web-components Main Method in Java EE Web Components
CWE-664 Java/Kotlin java/struts-development-mode Apache Struts development mode enabled
CWE-664 Java/Kotlin java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE-664 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE-664 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE-664 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-664 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-664 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-664 Java/Kotlin java/sensitive-query-with-get Sensitive GET Query
CWE-664 Java/Kotlin java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE-664 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-664 Java/Kotlin java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE-664 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-664 JavaScript/TypeScript js/alert-call Invocation of alert
CWE-664 JavaScript/TypeScript js/unsafe-external-link Potentially unsafe external link
CWE-664 JavaScript/TypeScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE-664 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-664 JavaScript/TypeScript js/implicit-operand-conversion Implicit operand conversion
CWE-664 JavaScript/TypeScript js/shift-out-of-range Shift out of range
CWE-664 JavaScript/TypeScript js/debugger-statement Use of debugger statement
CWE-664 JavaScript/TypeScript js/invalid-prototype-value Invalid prototype value
CWE-664 JavaScript/TypeScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE-664 JavaScript/TypeScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-664 JavaScript/TypeScript js/redos Inefficient regular expression
CWE-664 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-664 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-664 JavaScript/TypeScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-664 JavaScript/TypeScript js/code-injection Code injection
CWE-664 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-664 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-664 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-664 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-664 JavaScript/TypeScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE-664 JavaScript/TypeScript js/file-access-to-http File data in outbound network request
CWE-664 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-664 JavaScript/TypeScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE-664 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-664 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-664 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-664 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-664 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-664 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-664 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-664 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-664 JavaScript/TypeScript js/insecure-temporary-file Insecure temporary file
CWE-664 JavaScript/TypeScript js/session-fixation Failure to abandon session
CWE-664 JavaScript/TypeScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE-664 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-664 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-664 JavaScript/TypeScript js/unsafe-deserialization Deserialization of user-controlled data
CWE-664 JavaScript/TypeScript js/sensitive-get-query Sensitive data read from GET request
CWE-664 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-664 JavaScript/TypeScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE-664 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-664 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-664 JavaScript/TypeScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE-664 JavaScript/TypeScript js/regex-injection Regular expression injection
CWE-664 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-664 JavaScript/TypeScript js/resource-exhaustion Resource exhaustion
CWE-664 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-664 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-664 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-664 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-664 JavaScript/TypeScript js/insecure-download Download of sensitive file through insecure connection
CWE-664 JavaScript/TypeScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE-664 JavaScript/TypeScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE-664 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-664 JavaScript/TypeScript js/http-to-file-access Network data written to file
CWE-664 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-664 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-664 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-664 JavaScript/TypeScript js/client-side-request-forgery Client-side request forgery
CWE-664 JavaScript/TypeScript js/request-forgery Server-side request forgery
CWE-664 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-664 JavaScript/TypeScript javascript/ssrf Uncontrolled data used in network request
CWE-664 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-664 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-664 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-664 JavaScript/TypeScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE-664 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-664 JavaScript/TypeScript js/regex-injection-more-sources Regular expression injection with additional heuristic sources
CWE-664 JavaScript/TypeScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE-664 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-664 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-664 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-664 Python py/catch-base-exception Except block handles 'BaseException'
CWE-664 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE-664 Python py/file-not-closed File is not always closed
CWE-664 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE-664 Python py/path-injection Uncontrolled data used in path expression
CWE-664 Python py/tarslip Arbitrary file write during tarfile extraction
CWE-664 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-664 Python py/code-injection Code injection
CWE-664 Python py/stack-trace-exposure Information exposure through an exception
CWE-664 Python py/flask-debug Flask app is run in debug mode
CWE-664 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-664 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-664 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-664 Python py/insecure-temporary-file Insecure temporary file
CWE-664 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE-664 Python py/url-redirection URL redirection from remote source
CWE-664 Python py/xxe XML external entity expansion
CWE-664 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-664 Python py/redos Inefficient regular expression
CWE-664 Python py/regex-injection Regular expression injection
CWE-664 Python py/overly-permissive-file Overly permissive file permissions
CWE-664 Python py/xml-bomb XML internal entity expansion
CWE-664 Python py/hardcoded-credentials Hard-coded credentials
CWE-664 Python py/full-ssrf Full server-side request forgery
CWE-664 Python py/partial-ssrf Partial server-side request forgery
CWE-664 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE-664 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE-664 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE-664 Python py/timing-attack-against-hash Timing attack against Hash
CWE-664 Python py/timing-attack-against-header-value Timing attack against header value
CWE-664 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE-664 Python py/timing-attack-sensitive-info Timing attack against secret
CWE-664 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE-664 Python py/improper-ldap-auth Improper LDAP Authentication
CWE-664 Python py/decompression-bomb Decompression Bomb
CWE-664 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-664 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-664 Python py/unicode-dos Denial of Service using Unicode Characters
CWE-664 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 Ruby rb/unsafe-hmac-comparison Unsafe HMAC Comparison
CWE-664 Ruby rb/unsafe-unsafeyamldeserialization Deserialization of user-controlled yaml data
CWE-664 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-664 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE-664 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE-664 Ruby rb/server-side-template-injection Server-side template injection
CWE-664 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-664 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-664 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-664 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-664 Ruby rb/code-injection Code injection
CWE-664 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-664 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-664 Ruby rb/redos Inefficient regular expression
CWE-664 Ruby rb/regexp-injection Regular expression injection
CWE-664 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-664 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-664 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-664 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-664 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE-664 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE-664 Ruby rb/url-redirection URL redirection from remote source
CWE-664 Ruby rb/xxe XML external entity expansion
CWE-664 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-664 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-664 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-664 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE-664 Ruby rb/http-to-file-access Network data written to file
CWE-664 Ruby rb/insecure-mass-assignment Insecure Mass Assignment
CWE-664 Ruby rb/request-forgery Server-side request forgery
CWE-664 Swift swift/unsafe-unpacking Arbitrary file write during a zip extraction from a user controlled source
CWE-664 Swift swift/path-injection Uncontrolled data used in path expression
CWE-664 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-664 Swift swift/unsafe-js-eval JavaScript Injection
CWE-664 Swift swift/redos Inefficient regular expression
CWE-664 Swift swift/constant-password Constant password
CWE-664 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE-664 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-664 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE-664 Swift swift/hardcoded-key Hard-coded encryption key
CWE-664 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-664 Swift swift/regex-injection Regular expression injection
CWE-665 C/C++ cpp/global-use-before-init Global variable may be used before initialization
CWE-665 C/C++ cpp/initialization-not-run Initialization code not run
CWE-665 C/C++ cpp/not-initialised Variable not initialized before use
CWE-665 C/C++ cpp/alloca-in-loop Call to alloca in a loop
CWE-665 C/C++ cpp/improper-null-termination Potential improper null termination
CWE-665 C/C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE-665 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-665 C/C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE-665 C# cs/unassigned-field Field is never assigned a non-default value
CWE-665 Go go/uncontrolled-allocation-size Slice memory allocation with excessive size value
CWE-665 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-665 Java/Kotlin java/unassigned-field Field is never assigned a non-null value
CWE-665 Java/Kotlin java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE-665 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-665 JavaScript/TypeScript js/resource-exhaustion Resource exhaustion
CWE-665 JavaScript/TypeScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE-665 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE-665 Python py/unicode-dos Denial of Service using Unicode Characters
CWE-666 C/C++ cpp/double-free Potential double free
CWE-666 C/C++ cpp/use-after-free Potential use after free
CWE-666 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-666 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-666 C/C++ cpp/self-assignment-check Self assignment check
CWE-666 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-666 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-666 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-666 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-666 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-666 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-666 C/C++ cpp/double-release Errors When Double Release
CWE-667 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-667 C/C++ cpp/twice-locked Mutex locked twice
CWE-667 C/C++ cpp/unreleased-lock Lock may not be released
CWE-667 C# cs/locked-wait A lock is held during a wait
CWE-667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-667 Java/Kotlin java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE-667 Java/Kotlin java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE-667 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-667 Java/Kotlin java/sleep-with-lock-held Sleep with lock held
CWE-667 Java/Kotlin java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE-667 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-667 Java/Kotlin java/wait-with-two-locks Wait with two locks held
CWE-667 Java/Kotlin java/lock-order-inconsistency Lock order inconsistency
CWE-668 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-668 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-668 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-668 C/C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE-668 C/C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE-668 C/C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE-668 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-668 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-668 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-668 C/C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE-668 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-668 C/C++ cpp/private-cleartext-write Exposure of private information
CWE-668 C/C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE-668 C# cs/static-array Array constant vulnerable to change
CWE-668 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-668 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-668 C# cs/password-in-configuration Password in configuration file
CWE-668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-668 C# cs/path-injection Uncontrolled data used in path expression
CWE-668 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-668 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-668 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-668 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-668 Go go/path-injection Uncontrolled data used in path expression
CWE-668 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE-668 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-668 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-668 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE-668 Go go/cors-misconfiguration CORS misconfiguration
CWE-668 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-668 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-668 Java/Kotlin java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 Java/Kotlin java/partial-path-traversal Partial path traversal vulnerability
CWE-668 Java/Kotlin java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE-668 Java/Kotlin java/android/sensitive-notification Exposure of sensitive information to notifications
CWE-668 Java/Kotlin java/android/sensitive-text Exposure of sensitive information to UI text views
CWE-668 Java/Kotlin java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE-668 Java/Kotlin java/android/websettings-file-access Android WebSettings file access
CWE-668 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-668 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-668 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-668 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-668 Java/Kotlin java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE-668 Java/Kotlin java/sensitive-log Insertion of sensitive information into log files
CWE-668 Java/Kotlin java/unvalidated-url-forward URL forward from a remote source
CWE-668 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-668 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-668 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-668 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-668 Java/Kotlin java/static-array Array constant vulnerable to change
CWE-668 Java/Kotlin java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE-668 Java/Kotlin java/file-path-injection File Path Injection
CWE-668 Java/Kotlin java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE-668 Java/Kotlin java/sensitive-android-file-leak Leaking sensitive Android file
CWE-668 Java/Kotlin java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE-668 Java/Kotlin java/timing-attack-against-headers-value Timing attack against header value
CWE-668 Java/Kotlin java/timing-attack-against-signature Timing attack against signature validation
CWE-668 Java/Kotlin java/server-directory-listing Directories and files exposure
CWE-668 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-668 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-668 Java/Kotlin java/sensitive-query-with-get Sensitive GET Query
CWE-668 JavaScript/TypeScript js/unsafe-external-link Potentially unsafe external link
CWE-668 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-668 JavaScript/TypeScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-668 JavaScript/TypeScript js/file-access-to-http File data in outbound network request
CWE-668 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-668 JavaScript/TypeScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE-668 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-668 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-668 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-668 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-668 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-668 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-668 JavaScript/TypeScript js/insecure-temporary-file Insecure temporary file
CWE-668 JavaScript/TypeScript js/sensitive-get-query Sensitive data read from GET request
CWE-668 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-668 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-668 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE-668 Python py/path-injection Uncontrolled data used in path expression
CWE-668 Python py/tarslip Arbitrary file write during tarfile extraction
CWE-668 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-668 Python py/stack-trace-exposure Information exposure through an exception
CWE-668 Python py/flask-debug Flask app is run in debug mode
CWE-668 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-668 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-668 Python py/insecure-temporary-file Insecure temporary file
CWE-668 Python py/overly-permissive-file Overly permissive file permissions
CWE-668 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE-668 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE-668 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE-668 Python py/timing-attack-against-hash Timing attack against Hash
CWE-668 Python py/timing-attack-against-header-value Timing attack against header value
CWE-668 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE-668 Python py/timing-attack-sensitive-info Timing attack against secret
CWE-668 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-668 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 Ruby rb/unsafe-hmac-comparison Unsafe HMAC Comparison
CWE-668 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-668 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-668 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-668 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-668 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-668 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-668 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-668 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE-668 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-668 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-668 Swift swift/unsafe-unpacking Arbitrary file write during a zip extraction from a user controlled source
CWE-668 Swift swift/path-injection Uncontrolled data used in path expression
CWE-668 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-669 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-669 C# cs/web/file-upload Use of file upload
CWE-669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-669 C# cs/insecure-xml-read XML is read insecurely
CWE-669 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-669 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-669 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-669 JavaScript/TypeScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE-669 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-669 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-669 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-669 JavaScript/TypeScript js/insecure-download Download of sensitive file through insecure connection
CWE-669 JavaScript/TypeScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE-669 JavaScript/TypeScript js/http-to-file-access Network data written to file
CWE-669 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-669 Python py/xxe XML external entity expansion
CWE-669 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-669 Ruby rb/xxe XML external entity expansion
CWE-669 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE-669 Ruby rb/http-to-file-access Network data written to file
CWE-669 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-670 C/C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE-670 C/C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE-670 C/C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE-670 C/C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE-670 C/C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE-670 C/C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE-670 C/C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE-670 C/C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE-670 C/C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE-670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-670 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-670 Go go/useless-expression Expression has no effect
CWE-670 Go go/redundant-operation Identical operands
CWE-670 Go go/redundant-assignment Self assignment
CWE-670 Java/Kotlin java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-670 Java/Kotlin java/assignment-in-boolean-expression Assignment in Boolean expression
CWE-670 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-670 Java/Kotlin java/switch-fall-through Unterminated switch case
CWE-670 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-670 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-670 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-670 JavaScript/TypeScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE-670 JavaScript/TypeScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-670 JavaScript/TypeScript js/deletion-of-non-property Deleting non-property
CWE-670 JavaScript/TypeScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE-670 JavaScript/TypeScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE-670 Python py/asserts-tuple Asserting a tuple
CWE-671 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-671 C# cs/hardcoded-credentials Hard-coded credentials
CWE-671 Go go/hardcoded-credentials Hard-coded credentials
CWE-671 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-671 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-671 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-671 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-671 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-671 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-671 Python py/hardcoded-credentials Hard-coded credentials
CWE-671 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-671 Swift swift/constant-password Constant password
CWE-671 Swift swift/hardcoded-key Hard-coded encryption key
CWE-672 C/C++ cpp/double-free Potential double free
CWE-672 C/C++ cpp/use-after-free Potential use after free
CWE-672 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-672 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-672 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-672 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-672 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-672 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-672 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-672 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-674 C# cs/insecure-xml-read XML is read insecurely
CWE-674 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-674 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-674 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-674 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-674 Python py/xml-bomb XML internal entity expansion
CWE-674 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-674 Ruby rb/xxe XML external entity expansion
CWE-674 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-675 C/C++ cpp/double-free Potential double free
CWE-675 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-675 C/C++ cpp/twice-locked Mutex locked twice
CWE-675 C/C++ cpp/unreleased-lock Lock may not be released
CWE-675 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-675 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-675 C/C++ cpp/double-release Errors When Double Release
CWE-675 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-676 C/C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE-676 C/C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE-676 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-676 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-676 C/C++ cpp/dangerous-function-overflow Use of dangerous function
CWE-676 C/C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE-676 C/C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE-676 Java/Kotlin java/potentially-dangerous-function Use of a potentially dangerous function
CWE-676 JavaScript/TypeScript js/eval-like-call Call to eval-like DOM function
CWE-676 JavaScript/TypeScript js/eval-call Use of eval
CWE-681 C/C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE-681 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-681 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-681 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-681 C# cs/loss-of-precision Possible loss of precision
CWE-681 Go go/shift-out-of-range Shift out of range
CWE-681 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE-681 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-681 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-681 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-681 Java/Kotlin java/tainted-numeric-cast User-controlled data in numeric cast
CWE-681 Java/Kotlin java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE-681 JavaScript/TypeScript js/shift-out-of-range Shift out of range
CWE-682 C/C++ cpp/overflow-calculated Buffer not sufficient for string
CWE-682 C/C++ cpp/overflow-destination Copy function using source size
CWE-682 C/C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE-682 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-682 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-682 C/C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE-682 C/C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE-682 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-682 C/C++ cpp/signed-overflow-check Signed overflow check
CWE-682 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-682 C/C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE-682 C/C++ cpp/overrun-write Overrunning write
CWE-682 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-682 C/C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE-682 C/C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-682 C/C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE-682 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-682 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-682 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-682 C/C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE-682 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-682 C/C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE-682 C/C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE-682 C/C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE-682 C/C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE-682 C/C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE-682 C/C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE-682 C/C++ cpp/divide-by-zero-using-return-value Divide by zero using return value
CWE-682 C/C++ cpp/signed-bit-field Possible signed bit-field member
CWE-682 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE-682 C# cs/loss-of-precision Possible loss of precision
CWE-682 Go go/index-out-of-bounds Off-by-one comparison against length
CWE-682 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE-682 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE-682 Go go/divide-by-zero Divide by zero
CWE-682 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-682 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-682 Java/Kotlin java/index-out-of-bounds Array index out of bounds
CWE-682 Java/Kotlin java/tainted-arithmetic User-controlled data in arithmetic expression
CWE-682 Java/Kotlin java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE-682 Java/Kotlin java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE-682 Java/Kotlin java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE-682 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-682 JavaScript/TypeScript js/index-out-of-bounds Off-by-one comparison against length
CWE-682 Swift swift/string-length-conflation String length conflation
CWE-684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-684 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-685 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-685 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-685 Java/Kotlin java/missing-format-argument Missing format argument
CWE-685 Java/Kotlin java/unused-format-argument Unused format argument
CWE-685 JavaScript/TypeScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE-685 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE-685 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE-685 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE-686 C/C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE-687 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-687 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE-691 C/C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE-691 C/C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE-691 C/C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE-691 C/C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE-691 C/C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE-691 C/C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE-691 C/C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE-691 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-691 C/C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE-691 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-691 C/C++ cpp/twice-locked Mutex locked twice
CWE-691 C/C++ cpp/unreleased-lock Lock may not be released
CWE-691 C/C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE-691 C/C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE-691 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-691 C/C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE-691 C/C++ cpp/errors-after-refactoring Errors After Refactoring
CWE-691 C/C++ cpp/errors-when-using-bit-operations Errors When Using Bit Operations
CWE-691 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-691 C/C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE-691 C/C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE-691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-691 C# cs/constant-condition Constant condition
CWE-691 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-691 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-691 C# cs/locked-wait A lock is held during a wait
CWE-691 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-691 C# cs/catch-of-all-exceptions Generic catch clause
CWE-691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE-691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE-691 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE-691 C# cs/code-injection Improper control of generation of code
CWE-691 C# cs/web/missing-global-error-handler Missing global error handler
CWE-691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-691 C# cs/insecure-xml-read XML is read insecurely
CWE-691 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE-691 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-691 Go go/useless-expression Expression has no effect
CWE-691 Go go/redundant-operation Identical operands
CWE-691 Go go/redundant-assignment Self assignment
CWE-691 Go go/unsafe-quoting Potentially unsafe quoting
CWE-691 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-691 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-691 Java/Kotlin java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-691 Java/Kotlin java/assignment-in-boolean-expression Assignment in Boolean expression
CWE-691 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-691 Java/Kotlin java/wait-on-condition-interface Wait on condition
CWE-691 Java/Kotlin java/call-to-thread-run Direct call to a run() method
CWE-691 Java/Kotlin java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE-691 Java/Kotlin java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE-691 Java/Kotlin java/unsafe-sync-on-field Futile synchronization on field
CWE-691 Java/Kotlin java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE-691 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-691 Java/Kotlin java/non-sync-override Non-synchronized override of synchronized method
CWE-691 Java/Kotlin java/notify-instead-of-notify-all notify instead of notifyAll
CWE-691 Java/Kotlin java/sleep-with-lock-held Sleep with lock held
CWE-691 Java/Kotlin java/sync-on-boxed-types Synchronization on boxed types or strings
CWE-691 Java/Kotlin java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE-691 Java/Kotlin java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE-691 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-691 Java/Kotlin java/wait-with-two-locks Wait with two locks held
CWE-691 Java/Kotlin java/non-short-circuit-evaluation Dangerous non-short-circuit logic
CWE-691 Java/Kotlin java/constant-loop-condition Constant loop condition
CWE-691 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-691 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-691 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-691 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-691 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-691 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-691 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-691 Java/Kotlin java/toctou-race-condition Time-of-check time-of-use race condition
CWE-691 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-691 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-691 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-691 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-691 Java/Kotlin java/lock-order-inconsistency Lock order inconsistency
CWE-691 Java/Kotlin java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE-691 Java/Kotlin java/switch-fall-through Unterminated switch case
CWE-691 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-691 Java/Kotlin java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE-691 Java/Kotlin java/jvm-exit Forcible JVM termination
CWE-691 Java/Kotlin java/abnormal-finally-completion Finally block may not complete normally
CWE-691 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-691 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-691 Java/Kotlin java/jshell-injection JShell injection
CWE-691 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-691 Java/Kotlin java/jython-injection Injection in Jython
CWE-691 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-691 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-691 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-691 Java/Kotlin java/uncaught-servlet-exception Uncaught Servlet Exception
CWE-691 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-691 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-691 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-691 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-691 JavaScript/TypeScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE-691 JavaScript/TypeScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-691 JavaScript/TypeScript js/deletion-of-non-property Deleting non-property
CWE-691 JavaScript/TypeScript js/exit-from-finally Jump from finally
CWE-691 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-691 JavaScript/TypeScript js/code-injection Code injection
CWE-691 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-691 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-691 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-691 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-691 JavaScript/TypeScript js/file-system-race Potential file system race condition
CWE-691 JavaScript/TypeScript js/server-crash Server crash
CWE-691 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-691 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-691 JavaScript/TypeScript js/loop-bound-injection Loop bound injection
CWE-691 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-691 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-691 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-691 JavaScript/TypeScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE-691 JavaScript/TypeScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE-691 JavaScript/TypeScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE-691 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-691 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-691 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-691 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-691 Python py/catch-base-exception Except block handles 'BaseException'
CWE-691 Python py/code-injection Code injection
CWE-691 Python py/xml-bomb XML internal entity expansion
CWE-691 Python py/asserts-tuple Asserting a tuple
CWE-691 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE-691 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-691 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-691 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-691 Ruby rb/server-side-template-injection Server-side template injection
CWE-691 Ruby rb/code-injection Code injection
CWE-691 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-691 Ruby rb/xxe XML external entity expansion
CWE-691 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-691 Swift swift/unsafe-js-eval JavaScript Injection
CWE-691 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-693 C/C++ cpp/boost/tls-settings-misconfiguration boost::asio TLS settings misconfiguration
CWE-693 C/C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio use of deprecated hardcoded protocol
CWE-693 C/C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 C/C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE-693 C/C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE-693 C/C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 C/C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE-693 C/C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE-693 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-693 C/C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE-693 C/C++ cpp/certificate-result-conflation Certificate result conflation
CWE-693 C/C++ cpp/certificate-not-checked Certificate not checked
CWE-693 C/C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE-693 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-693 C/C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE-693 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-693 C/C++ cpp/non-https-url Failure to use HTTPS URLs
CWE-693 C/C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE-693 C/C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-693 C/C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE-693 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-693 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-693 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-693 C/C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE-693 C/C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE-693 C/C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE-693 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-693 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-693 C/C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE-693 C/C++ cpp/unknown-asymmetric-key-gen-size Unknown key generation key size
CWE-693 C/C++ cpp/weak-asymmetric-key-gen-size Weak asymmetric key generation key size (< 2048 bits)
CWE-693 C/C++ cpp/weak-block-mode Weak block mode
CWE-693 C/C++ cpp/weak-elliptic-curve Weak elliptic curve
CWE-693 C/C++ cpp/weak-crypto/banned-encryption-algorithms Weak cryptography
CWE-693 C/C++ cpp/weak-crypto/banned-hash-algorithms Weak cryptography
CWE-693 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-693 C# cs/password-in-configuration Password in configuration file
CWE-693 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 C# cs/serialization-check-bypass Serialization check bypass
CWE-693 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 C# cs/xml/missing-validation Missing XML validation
CWE-693 C# cs/assembly-path-injection Assembly path injection
CWE-693 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-693 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE-693 C# cs/insecure-sql-connection Insecure SQL connection
CWE-693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-693 C# cs/session-reuse Failure to abandon session
CWE-693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-693 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-693 C# cs/hardcoded-credentials Hard-coded credentials
CWE-693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-693 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-693 C# cs/ecb-encryption Encryption using ECB
CWE-693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-693 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE-693 C# cs/weak-encryption Weak encryption
CWE-693 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-693 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-693 C# cs/hash-without-salt Use of a hash function without a salt
CWE-693 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-693 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE-693 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE-693 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE-693 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE-693 Go go/disabled-certificate-check Disabled TLS certificate check
CWE-693 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-693 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE-693 Go go/weak-crypto-key Use of a weak cryptographic key
CWE-693 Go go/insecure-tls Insecure TLS configuration
CWE-693 Go go/missing-jwt-signature-check Missing JWT signature check
CWE-693 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE-693 Go go/email-injection Email content injection
CWE-693 Go go/hardcoded-credentials Hard-coded credentials
CWE-693 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-693 Go go/improper-ldap-auth Improper LDAP Authentication
CWE-693 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-693 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE-693 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-693 Go go/cors-misconfiguration CORS misconfiguration
CWE-693 Java/Kotlin java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 Java/Kotlin java/overly-large-range Overly permissive regular expression range
CWE-693 Java/Kotlin java/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 Java/Kotlin java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE-693 Java/Kotlin java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE-693 Java/Kotlin java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE-693 Java/Kotlin java/improper-validation-of-array-index Improper validation of user-provided array index
CWE-693 Java/Kotlin java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE-693 Java/Kotlin java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE-693 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-693 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-693 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-693 Java/Kotlin java/android/insecure-local-key-gen Insecurely generated keys for local authentication
CWE-693 Java/Kotlin java/android/insecure-local-authentication Insecure local authentication
CWE-693 Java/Kotlin java/android/missing-certificate-pinning Android missing certificate pinning
CWE-693 Java/Kotlin java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE-693 Java/Kotlin java/insecure-trustmanager TrustManager that accepts all certificates
CWE-693 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-693 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-693 Java/Kotlin java/android/backup-enabled Application backup allowed
CWE-693 Java/Kotlin java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE-693 Java/Kotlin java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE-693 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-693 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-693 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-693 Java/Kotlin java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE-693 Java/Kotlin java/non-https-url Failure to use HTTPS URLs
CWE-693 Java/Kotlin java/non-ssl-connection Failure to use SSL
CWE-693 Java/Kotlin java/non-ssl-socket-factory Failure to use SSL socket factories
CWE-693 Java/Kotlin java/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE-693 Java/Kotlin java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE-693 Java/Kotlin java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE-693 Java/Kotlin java/missing-jwt-signature-check Missing JWT signature check
CWE-693 Java/Kotlin java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE-693 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-693 Java/Kotlin java/insecure-basic-auth Insecure basic authentication
CWE-693 Java/Kotlin java/insecure-ldap-auth Insecure LDAP authentication
CWE-693 Java/Kotlin java/insecure-cookie Failure to use secure cookies
CWE-693 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-693 Java/Kotlin java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE-693 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-693 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-693 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-693 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-693 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-693 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-693 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-693 Java/Kotlin java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE-693 Java/Kotlin java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE-693 Java/Kotlin java/android/implicitly-exported-component Implicitly exported Android component
CWE-693 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-693 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-693 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-693 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-693 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-693 Java/Kotlin java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE-693 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-693 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-693 Java/Kotlin java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE-693 Java/Kotlin java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-693 Java/Kotlin java/unsafe-tls-version Unsafe TLS version
CWE-693 Java/Kotlin java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE-693 Java/Kotlin java/ip-address-spoofing IP address spoofing
CWE-693 Java/Kotlin java/jsonp-injection JSONP Injection
CWE-693 Java/Kotlin java/credentials-in-properties Cleartext Credentials in Properties File
CWE-693 Java/Kotlin java/password-in-configuration Password in configuration file
CWE-693 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-693 Java/Kotlin java/hash-without-salt Use of a hash function without a salt
CWE-693 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-693 JavaScript/TypeScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE-693 JavaScript/TypeScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 JavaScript/TypeScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-693 JavaScript/TypeScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE-693 JavaScript/TypeScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-693 JavaScript/TypeScript js/incorrect-suffix-check Incorrect suffix check
CWE-693 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-693 JavaScript/TypeScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE-693 JavaScript/TypeScript js/overly-large-range Overly permissive regular expression range
CWE-693 JavaScript/TypeScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 JavaScript/TypeScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE-693 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-693 JavaScript/TypeScript js/double-escaping Double escaping or unescaping
CWE-693 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-693 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-693 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-693 JavaScript/TypeScript js/exposure-of-private-files Exposure of private files
CWE-693 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-693 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-693 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-693 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-693 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-693 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-693 JavaScript/TypeScript js/insufficient-key-size Use of a weak cryptographic key
CWE-693 JavaScript/TypeScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source
CWE-693 JavaScript/TypeScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-693 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-693 JavaScript/TypeScript js/jwt-missing-verification JWT missing secret or public key verification
CWE-693 JavaScript/TypeScript js/missing-token-validation Missing CSRF middleware
CWE-693 JavaScript/TypeScript js/session-fixation Failure to abandon session
CWE-693 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-693 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-693 JavaScript/TypeScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE-693 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-693 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-693 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-693 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-693 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-693 JavaScript/TypeScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE-693 JavaScript/TypeScript js/untrusted-data-to-external-api-more-sources Untrusted data passed to external API with additional heuristic sources
CWE-693 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-693 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-693 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-693 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-693 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-693 Python py/overly-large-range Overly permissive regular expression range
CWE-693 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-693 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-693 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE-693 Python py/request-without-cert-validation Request without certificate validation
CWE-693 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-693 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-693 Python py/weak-crypto-key Use of weak cryptographic key
CWE-693 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-693 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE-693 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE-693 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-693 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE-693 Python py/overly-permissive-file Overly permissive file permissions
CWE-693 Python py/hardcoded-credentials Hard-coded credentials
CWE-693 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-693 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE-693 Python py/improper-ldap-auth Improper LDAP Authentication
CWE-693 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE-693 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE-693 Python py/ip-address-spoofing IP address spoofing
CWE-693 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE-693 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE-693 Python py/insecure-cookie Failure to use secure cookies
CWE-693 Python py/unknown-asymmetric-key-gen-size Unknown key generation key size
CWE-693 Python py/weak-asymmetric-key-gen-size Weak key generation key size (< 2048 bits)
CWE-693 Python py/weak-block-mode Weak block mode
CWE-693 Python py/weak-elliptic-curve Weak elliptic curve
CWE-693 Python py/weak-hashes Weak hashes
CWE-693 Python py/weak-symmetric-encryption Weak symmetric encryption algorithm
CWE-693 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-693 Ruby rb/jwt-missing-verification JWT missing secret or public key verification
CWE-693 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-693 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE-693 Ruby rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-693 Ruby rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE-693 Ruby rb/regex/badly-anchored-regexp Badly anchored regular expression
CWE-693 Ruby rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE-693 Ruby rb/overly-large-range Overly permissive regular expression range
CWE-693 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-693 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-693 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-693 Ruby rb/request-without-cert-validation Request without certificate validation
CWE-693 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-693 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-693 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-693 Ruby rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE-693 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE-693 Ruby rb/csrf-protection-not-enabled CSRF protection not enabled
CWE-693 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-693 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-693 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-693 Swift swift/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE-693 Swift swift/missing-regexp-anchor Missing regular expression anchor
CWE-693 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-693 Swift swift/constant-password Constant password
CWE-693 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE-693 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE-693 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-693 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE-693 Swift swift/hardcoded-key Hard-coded encryption key
CWE-693 Swift swift/ecb-encryption Encryption using ECB
CWE-693 Swift swift/weak-password-hashing Use of an inappropriate cryptographic hashing algorithm on passwords
CWE-693 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-693 Swift swift/insecure-tls Insecure TLS configuration
CWE-693 Swift swift/constant-salt Use of constant salts
CWE-693 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE-695 Java/Kotlin java/ejb/file-io EJB uses file input/output
CWE-695 Java/Kotlin java/ejb/graphics EJB uses graphics
CWE-695 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-695 Java/Kotlin java/ejb/threads EJB uses threads
CWE-696 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-696 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-697 C/C++ cpp/missing-case-in-switch Missing enum case in switch
CWE-697 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-697 C# cs/class-name-comparison Erroneous class compare
CWE-697 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE-697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE-697 Go go/cors-misconfiguration CORS misconfiguration
CWE-697 Java/Kotlin java/missing-default-in-switch Missing default case in switch
CWE-697 Java/Kotlin java/reference-equality-with-object Reference equality test on java.lang.Object
CWE-697 Java/Kotlin java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE-697 Java/Kotlin java/reference-equality-on-strings Reference equality test on strings
CWE-697 Java/Kotlin java/missing-case-in-switch Missing enum case in switch
CWE-697 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-697 JavaScript/TypeScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE-697 JavaScript/TypeScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE-697 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-697 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-697 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-697 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-697 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-697 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-703 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-703 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-703 C/C++ cpp/return-value-ignored Return value of a function is ignored
CWE-703 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-703 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-703 C/C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE-703 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-703 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-703 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-703 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-703 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-703 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-703 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-703 C/C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE-703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-703 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-703 C# cs/unchecked-return-value Unchecked return value
CWE-703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-703 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-703 C# cs/catch-of-all-exceptions Generic catch clause
CWE-703 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-703 C# cs/web/missing-global-error-handler Missing global error handler
CWE-703 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-703 Java/Kotlin java/inconsistent-call-on-result Inconsistent operation on return value
CWE-703 Java/Kotlin java/return-value-ignored Method result ignored
CWE-703 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-703 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-703 Java/Kotlin java/discarded-exception Discarded exception
CWE-703 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-703 Java/Kotlin java/ignored-error-status-of-call Ignored error status of call
CWE-703 Java/Kotlin java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE-703 Java/Kotlin java/uncaught-servlet-exception Uncaught Servlet Exception
CWE-703 Java/Kotlin java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE-703 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-703 JavaScript/TypeScript js/server-crash Server crash
CWE-703 JavaScript/TypeScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE-703 Python py/catch-base-exception Except block handles 'BaseException'
CWE-703 Python py/empty-except Empty except
CWE-703 Python py/ignored-return-value Ignored return value
CWE-703 Python py/stack-trace-exposure Information exposure through an exception
CWE-703 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-704 C/C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE-704 C/C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE-704 C/C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE-704 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-704 C/C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE-704 C/C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE-704 C/C++ cpp/type-confusion Type confusion
CWE-704 C# cs/loss-of-precision Possible loss of precision
CWE-704 Go go/shift-out-of-range Shift out of range
CWE-704 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE-704 Java/Kotlin java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE-704 Java/Kotlin java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE-704 Java/Kotlin java/impossible-array-cast Impossible array cast
CWE-704 Java/Kotlin java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-704 Java/Kotlin java/tainted-numeric-cast User-controlled data in numeric cast
CWE-704 Java/Kotlin java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE-704 JavaScript/TypeScript js/implicit-operand-conversion Implicit operand conversion
CWE-704 JavaScript/TypeScript js/shift-out-of-range Shift out of range
CWE-704 JavaScript/TypeScript js/invalid-prototype-value Invalid prototype value
CWE-704 JavaScript/TypeScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE-704 JavaScript/TypeScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE-705 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-705 C# cs/catch-of-all-exceptions Generic catch clause
CWE-705 C# cs/web/missing-global-error-handler Missing global error handler
CWE-705 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-705 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-705 Java/Kotlin java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE-705 Java/Kotlin java/jvm-exit Forcible JVM termination
CWE-705 Java/Kotlin java/abnormal-finally-completion Finally block may not complete normally
CWE-705 Java/Kotlin java/uncaught-servlet-exception Uncaught Servlet Exception
CWE-705 JavaScript/TypeScript js/exit-from-finally Jump from finally
CWE-705 JavaScript/TypeScript js/server-crash Server crash
CWE-705 Python py/catch-base-exception Except block handles 'BaseException'
CWE-705 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE-706 C/C++ cpp/path-injection Uncontrolled data used in path expression
CWE-706 C# cs/path-injection Uncontrolled data used in path expression
CWE-706 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-706 C# cs/insecure-xml-read XML is read insecurely
CWE-706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-706 Go go/path-injection Uncontrolled data used in path expression
CWE-706 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE-706 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 Java/Kotlin java/path-injection Uncontrolled data used in path expression
CWE-706 Java/Kotlin java/path-injection-local Local-user-controlled data in path expression
CWE-706 Java/Kotlin java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 Java/Kotlin java/partial-path-traversal Partial path traversal vulnerability
CWE-706 Java/Kotlin java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE-706 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-706 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-706 Java/Kotlin java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE-706 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-706 JavaScript/TypeScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 JavaScript/TypeScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE-706 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-706 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-706 Python py/path-injection Uncontrolled data used in path expression
CWE-706 Python py/tarslip Arbitrary file write during tarfile extraction
CWE-706 Python py/xxe XML external entity expansion
CWE-706 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE-706 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE-706 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-706 Ruby rb/xxe XML external entity expansion
CWE-706 Swift swift/unsafe-unpacking Arbitrary file write during a zip extraction from a user controlled source
CWE-706 Swift swift/path-injection Uncontrolled data used in path expression
CWE-706 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-707 C/C++ cpp/non-constant-format Non-constant format string
CWE-707 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-707 C/C++ cpp/improper-null-termination Potential improper null termination
CWE-707 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-707 C/C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE-707 C/C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE-707 C/C++ cpp/sql-injection Uncontrolled data in SQL query
CWE-707 C/C++ cpp/tainted-format-string Uncontrolled format string
CWE-707 C/C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE-707 C/C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE-707 C# cs/path-injection Uncontrolled data used in path expression
CWE-707 C# cs/command-line-injection Uncontrolled command line
CWE-707 C# cs/web/xss Cross-site scripting
CWE-707 C# cs/sql-injection SQL query built from user-controlled sources
CWE-707 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-707 C# cs/xml-injection XML injection
CWE-707 C# cs/code-injection Improper control of generation of code
CWE-707 C# cs/resource-injection Resource injection
CWE-707 C# cs/log-forging Log entries created from user input
CWE-707 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-707 C# cs/xml/xpath-injection XPath injection
CWE-707 C# cs/inappropriate-encoding Inappropriate encoding
CWE-707 C# cs/web/disabled-header-checking Header checking disabled
CWE-707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-707 Go go/path-injection Uncontrolled data used in path expression
CWE-707 Go go/command-injection Command built from user-controlled sources
CWE-707 Go go/stored-command Command built from stored data
CWE-707 Go go/reflected-xss Reflected cross-site scripting
CWE-707 Go go/stored-xss Stored cross-site scripting
CWE-707 Go go/sql-injection Database query built from user-controlled sources
CWE-707 Go go/unsafe-quoting Potentially unsafe quoting
CWE-707 Go go/log-injection Log entries created from user input
CWE-707 Go go/xml/xpath-injection XPath injection
CWE-707 Go go/ldap-injection LDAP query built from user-controlled sources
CWE-707 Go go/dsn-injection SQL Data-source URI built from user-controlled sources
CWE-707 Go go/dsn-injection-local SQL Data-source URI built from local user-controlled sources
CWE-707 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE-707 Java/Kotlin java/jndi-injection JNDI lookup with user-controlled name
CWE-707 Java/Kotlin java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE-707 Java/Kotlin java/relative-path-command Executing a command with a relative path
CWE-707 Java/Kotlin java/command-line-injection Uncontrolled command line
CWE-707 Java/Kotlin java/exec-tainted-environment Building a command with an injected environment variable
CWE-707 Java/Kotlin java/command-line-injection-local Local-user-controlled command line
CWE-707 Java/Kotlin java/concatenated-command-line Building a command line with string concatenation
CWE-707 Java/Kotlin java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE-707 Java/Kotlin java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE-707 Java/Kotlin java/xss Cross-site scripting
CWE-707 Java/Kotlin java/xss-local Cross-site scripting from local source
CWE-707 Java/Kotlin java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE-707 Java/Kotlin java/sql-injection Query built from user-controlled sources
CWE-707 Java/Kotlin java/sql-injection-local Query built from local-user-controlled sources
CWE-707 Java/Kotlin java/ldap-injection LDAP query built from user-controlled sources
CWE-707 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-707 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-707 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-707 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-707 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-707 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-707 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-707 Java/Kotlin java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE-707 Java/Kotlin java/http-response-splitting HTTP response splitting
CWE-707 Java/Kotlin java/http-response-splitting-local HTTP response splitting from local source
CWE-707 Java/Kotlin java/log-injection Log Injection
CWE-707 Java/Kotlin java/tainted-format-string Use of externally-controlled format string
CWE-707 Java/Kotlin java/tainted-format-string-local Use of externally-controlled format string from local source
CWE-707 Java/Kotlin java/xml/xpath-injection XPath injection
CWE-707 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-707 Java/Kotlin java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE-707 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-707 Java/Kotlin java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE-707 Java/Kotlin java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE-707 Java/Kotlin java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE-707 Java/Kotlin java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE-707 Java/Kotlin java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE-707 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-707 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-707 Java/Kotlin java/jshell-injection JShell injection
CWE-707 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-707 Java/Kotlin java/jython-injection Injection in Jython
CWE-707 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-707 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-707 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-707 Java/Kotlin java/xquery-injection XQuery query built from user-controlled sources
CWE-707 JavaScript/TypeScript js/angular/disabling-sce Disabling SCE
CWE-707 JavaScript/TypeScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE-707 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-707 JavaScript/TypeScript js/identity-replacement Replacement of a substring with itself
CWE-707 JavaScript/TypeScript js/path-injection Uncontrolled data used in path expression
CWE-707 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-707 JavaScript/TypeScript js/command-line-injection Uncontrolled command line
CWE-707 JavaScript/TypeScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE-707 JavaScript/TypeScript js/second-order-command-line-injection Second order command injection
CWE-707 JavaScript/TypeScript js/shell-command-injection-from-environment Shell command built from environment values
CWE-707 JavaScript/TypeScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-707 JavaScript/TypeScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE-707 JavaScript/TypeScript js/xss-through-exception Exception text reinterpreted as HTML
CWE-707 JavaScript/TypeScript js/reflected-xss Reflected cross-site scripting
CWE-707 JavaScript/TypeScript js/stored-xss Stored cross-site scripting
CWE-707 JavaScript/TypeScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE-707 JavaScript/TypeScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE-707 JavaScript/TypeScript js/xss Client-side cross-site scripting
CWE-707 JavaScript/TypeScript js/xss-through-dom DOM text reinterpreted as HTML
CWE-707 JavaScript/TypeScript js/sql-injection Database query built from user-controlled sources
CWE-707 JavaScript/TypeScript js/code-injection Code injection
CWE-707 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-707 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-707 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-707 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-707 JavaScript/TypeScript js/bad-tag-filter Bad HTML filtering regexp
CWE-707 JavaScript/TypeScript js/double-escaping Double escaping or unescaping
CWE-707 JavaScript/TypeScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE-707 JavaScript/TypeScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-707 JavaScript/TypeScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE-707 JavaScript/TypeScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE-707 JavaScript/TypeScript js/log-injection Log injection
CWE-707 JavaScript/TypeScript js/tainted-format-string Use of externally-controlled format string
CWE-707 JavaScript/TypeScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE-707 JavaScript/TypeScript js/xpath-injection XPath injection
CWE-707 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-707 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-707 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-707 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-707 JavaScript/TypeScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE-707 JavaScript/TypeScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE-707 JavaScript/TypeScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE-707 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-707 JavaScript/TypeScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE-707 JavaScript/TypeScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE-707 JavaScript/TypeScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE-707 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-707 Python py/path-injection Uncontrolled data used in path expression
CWE-707 Python py/command-line-injection Uncontrolled command line
CWE-707 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-707 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE-707 Python py/reflective-xss Reflected server-side cross-site scripting
CWE-707 Python py/sql-injection SQL query built from user-controlled sources
CWE-707 Python py/ldap-injection LDAP query built from user-controlled sources
CWE-707 Python py/code-injection Code injection
CWE-707 Python py/bad-tag-filter Bad HTML filtering regexp
CWE-707 Python py/log-injection Log Injection
CWE-707 Python py/xpath-injection XPath query built from user-controlled sources
CWE-707 Python py/nosql-injection NoSQL Injection
CWE-707 Python py/template-injection Server Side Template Injection
CWE-707 Python py/paramiko-command-injection RCE with user provided command with paramiko ssh client
CWE-707 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE-707 Python py/xslt-injection XSLT query built from user-controlled sources
CWE-707 Python py/header-injection HTTP Header Injection
CWE-707 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-707 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE-707 Ruby rb/ldap-injection LDAP Injection
CWE-707 Ruby rb/server-side-template-injection Server-side template injection
CWE-707 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE-707 Ruby rb/path-injection Uncontrolled data used in path expression
CWE-707 Ruby rb/command-line-injection Uncontrolled command line
CWE-707 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE-707 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE-707 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE-707 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE-707 Ruby rb/stored-xss Stored cross-site scripting
CWE-707 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE-707 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE-707 Ruby rb/code-injection Code injection
CWE-707 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-707 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE-707 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE-707 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE-707 Ruby rb/log-injection Log injection
CWE-707 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE-707 Swift swift/path-injection Uncontrolled data used in path expression
CWE-707 Swift swift/command-line-injection System command built from user-controlled sources
CWE-707 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-707 Swift swift/sql-injection Database query built from user-controlled sources
CWE-707 Swift swift/unsafe-js-eval JavaScript Injection
CWE-707 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE-707 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE-707 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE-710 C/C++ cpp/unused-local-variable Unused local variable
CWE-710 C/C++ cpp/unused-static-function Unused static function
CWE-710 C/C++ cpp/unused-static-variable Unused static variable
CWE-710 C/C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE-710 C/C++ cpp/dead-code-function Function is never called
CWE-710 C/C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE-710 C/C++ cpp/double-free Potential double free
CWE-710 C/C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE-710 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-710 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-710 C/C++ cpp/missing-null-test Returned pointer not checked
CWE-710 C/C++ cpp/unused-variable Variable is assigned a value that is never read
CWE-710 C/C++ cpp/fixme-comment FIXME comment
CWE-710 C/C++ cpp/todo-comment TODO comment
CWE-710 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-710 C/C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE-710 C/C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE-710 C/C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE-710 C/C++ cpp/useless-expression Expression has no effect
CWE-710 C/C++ cpp/pointer-overflow-check Pointer overflow check
CWE-710 C/C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE-710 C/C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE-710 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-710 C/C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE-710 C/C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE-710 C/C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE-710 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-710 C/C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE-710 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-710 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-710 C/C++ cpp/dangerous-function-overflow Use of dangerous function
CWE-710 C/C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE-710 C/C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE-710 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-710 C/C++ cpp/twice-locked Mutex locked twice
CWE-710 C/C++ cpp/unreleased-lock Lock may not be released
CWE-710 C/C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE-710 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-710 C/C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE-710 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-710 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-710 C/C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE-710 C/C++ cpp/double-release Errors When Double Release
CWE-710 C/C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE-710 C# cs/call-to-obsolete-method Call to obsolete method
CWE-710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-710 C# cs/todo-comment TODO comment
CWE-710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-710 C# cs/unused-reftype Dead reference types
CWE-710 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-710 C# cs/unused-field Unused field
CWE-710 C# cs/unused-method Unused method
CWE-710 C# cs/captured-foreach-variable Capturing a foreach variable
CWE-710 C# cs/useless-cast-to-self Cast to same type
CWE-710 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-710 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-710 C# cs/useless-type-test Useless type test
CWE-710 C# cs/useless-upcast Useless upcast
CWE-710 C# cs/empty-collection Container contents are never initialized
CWE-710 C# cs/unused-collection Container contents are never accessed
CWE-710 C# cs/invalid-dynamic-call Bad dynamic call
CWE-710 C# cs/empty-lock-statement Empty lock statement
CWE-710 C# cs/linq/useless-select Redundant Select
CWE-710 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-710 C# cs/hardcoded-credentials Hard-coded credentials
CWE-710 Go go/comparison-of-identical-expressions Comparison of identical values
CWE-710 Go go/useless-assignment-to-field Useless assignment to field
CWE-710 Go go/useless-assignment-to-local Useless assignment to local variable
CWE-710 Go go/duplicate-branches Duplicate 'if' branches
CWE-710 Go go/duplicate-condition Duplicate 'if' condition
CWE-710 Go go/duplicate-switch-case Duplicate switch case
CWE-710 Go go/useless-expression Expression has no effect
CWE-710 Go go/redundant-operation Identical operands
CWE-710 Go go/redundant-assignment Self assignment
CWE-710 Go go/unreachable-statement Unreachable statement
CWE-710 Go go/hardcoded-credentials Hard-coded credentials
CWE-710 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE-710 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-710 Java/Kotlin java/deprecated-call Deprecated method or constructor invocation
CWE-710 Java/Kotlin java/dead-class Dead class
CWE-710 Java/Kotlin java/dead-enum-constant Dead enum constant
CWE-710 Java/Kotlin java/dead-field Dead field
CWE-710 Java/Kotlin java/dead-function Dead method
CWE-710 Java/Kotlin java/lines-of-dead-code Lines of dead code in files
CWE-710 Java/Kotlin java/unused-parameter Useless parameter
CWE-710 Java/Kotlin java/ejb/container-interference EJB interferes with container operation
CWE-710 Java/Kotlin java/ejb/file-io EJB uses file input/output
CWE-710 Java/Kotlin java/ejb/graphics EJB uses graphics
CWE-710 Java/Kotlin java/ejb/native-code EJB uses native code
CWE-710 Java/Kotlin java/ejb/reflection EJB uses reflection
CWE-710 Java/Kotlin java/ejb/security-configuration-access EJB accesses security configuration
CWE-710 Java/Kotlin java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE-710 Java/Kotlin java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE-710 Java/Kotlin java/ejb/server-socket EJB uses server socket
CWE-710 Java/Kotlin java/ejb/non-final-static-field EJB uses non-final static field
CWE-710 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-710 Java/Kotlin java/ejb/this EJB uses 'this' as argument or result
CWE-710 Java/Kotlin java/ejb/threads EJB uses threads
CWE-710 Java/Kotlin java/useless-null-check Useless null check
CWE-710 Java/Kotlin java/useless-type-test Useless type test
CWE-710 Java/Kotlin java/useless-upcast Useless upcast
CWE-710 Java/Kotlin java/missing-call-to-super-clone Missing super clone
CWE-710 Java/Kotlin java/empty-container Container contents are never initialized
CWE-710 Java/Kotlin java/unused-container Container contents are never accessed
CWE-710 Java/Kotlin java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE-710 Java/Kotlin java/constant-comparison Useless comparison test
CWE-710 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-710 Java/Kotlin java/missing-super-finalize Finalizer inconsistency
CWE-710 Java/Kotlin java/missing-format-argument Missing format argument
CWE-710 Java/Kotlin java/unused-format-argument Unused format argument
CWE-710 Java/Kotlin java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-710 Java/Kotlin java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE-710 Java/Kotlin java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-710 Java/Kotlin java/empty-synchronized-block Empty synchronized block
CWE-710 Java/Kotlin java/unreachable-catch-clause Unreachable catch clause
CWE-710 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-710 Java/Kotlin java/potentially-dangerous-function Use of a potentially dangerous function
CWE-710 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-710 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-710 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-710 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-710 Java/Kotlin java/todo-comment TODO/FIXME comments
CWE-710 Java/Kotlin java/unused-reference-type Unused classes and interfaces
CWE-710 Java/Kotlin java/overwritten-assignment-to-local Assigned value is overwritten
CWE-710 Java/Kotlin java/useless-assignment-to-local Useless assignment to local variable
CWE-710 Java/Kotlin java/empty-finalizer Empty body of finalizer
CWE-710 Java/Kotlin java/unused-initialized-local Local variable is initialized but not used
CWE-710 Java/Kotlin java/local-variable-is-never-read Unread local variable
CWE-710 Java/Kotlin java/unused-field Unused field
CWE-710 Java/Kotlin java/unused-label Unused label
CWE-710 Java/Kotlin java/unused-local-variable Unused local variable
CWE-710 Java/Kotlin java/switch-fall-through Unterminated switch case
CWE-710 Java/Kotlin java/redundant-cast Unnecessary cast
CWE-710 Java/Kotlin java/unused-import Unnecessary import
CWE-710 JavaScript/TypeScript js/todo-comment TODO comment
CWE-710 JavaScript/TypeScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE-710 JavaScript/TypeScript js/malformed-html-id Malformed id attribute
CWE-710 JavaScript/TypeScript js/eval-like-call Call to eval-like DOM function
CWE-710 JavaScript/TypeScript js/variable-initialization-conflict Conflicting variable initialization
CWE-710 JavaScript/TypeScript js/function-declaration-conflict Conflicting function declarations
CWE-710 JavaScript/TypeScript js/useless-assignment-to-global Useless assignment to global variable
CWE-710 JavaScript/TypeScript js/useless-assignment-to-local Useless assignment to local variable
CWE-710 JavaScript/TypeScript js/overwritten-property Overwritten property
CWE-710 JavaScript/TypeScript js/comparison-of-identical-expressions Comparison of identical values
CWE-710 JavaScript/TypeScript js/comparison-with-nan Comparison with NaN
CWE-710 JavaScript/TypeScript js/duplicate-condition Duplicate 'if' condition
CWE-710 JavaScript/TypeScript js/duplicate-property Duplicate property
CWE-710 JavaScript/TypeScript js/duplicate-switch-case Duplicate switch case
CWE-710 JavaScript/TypeScript js/useless-expression Expression has no effect
CWE-710 JavaScript/TypeScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE-710 JavaScript/TypeScript js/redundant-operation Identical operands
CWE-710 JavaScript/TypeScript js/redundant-assignment Self assignment
CWE-710 JavaScript/TypeScript js/call-to-non-callable Invocation of non-function
CWE-710 JavaScript/TypeScript js/property-access-on-non-object Property access on null or undefined
CWE-710 JavaScript/TypeScript js/unneeded-defensive-code Unneeded defensive code
CWE-710 JavaScript/TypeScript js/useless-type-test Useless type test
CWE-710 JavaScript/TypeScript js/conditional-comment Conditional comments
CWE-710 JavaScript/TypeScript js/eval-call Use of eval
CWE-710 JavaScript/TypeScript js/non-standard-language-feature Use of platform-specific language features
CWE-710 JavaScript/TypeScript js/for-in-comprehension Use of for-in comprehension blocks
CWE-710 JavaScript/TypeScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE-710 JavaScript/TypeScript js/yield-outside-generator Yield in non-generator function
CWE-710 JavaScript/TypeScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE-710 JavaScript/TypeScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE-710 JavaScript/TypeScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE-710 JavaScript/TypeScript js/remote-property-injection Remote property injection
CWE-710 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-710 JavaScript/TypeScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-710 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-710 JavaScript/TypeScript js/http-to-file-access Network data written to file
CWE-710 JavaScript/TypeScript js/useless-assignment-in-return Return statement assigns local variable
CWE-710 JavaScript/TypeScript js/unreachable-statement Unreachable statement
CWE-710 JavaScript/TypeScript js/trivial-conditional Useless conditional
CWE-710 JavaScript/TypeScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE-710 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE-710 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE-710 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE-710 Python py/unreachable-except Unreachable 'except' block
CWE-710 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE-710 Python py/comparison-of-constants Comparison of constants
CWE-710 Python py/comparison-of-identical-expressions Comparison of identical values
CWE-710 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE-710 Python py/redundant-comparison Redundant comparison
CWE-710 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE-710 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE-710 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE-710 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE-710 Python py/import-deprecated-module Import of deprecated module
CWE-710 Python py/hardcoded-credentials Hard-coded credentials
CWE-710 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE-710 Python py/redundant-assignment Redundant assignment
CWE-710 Python py/ineffectual-statement Statement has no effect
CWE-710 Python py/unreachable-statement Unreachable code
CWE-710 Python py/multiple-definition Variable defined multiple times
CWE-710 Python py/unused-local-variable Unused local variable
CWE-710 Python py/unused-global-variable Unused global variable
CWE-710 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-710 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-710 Ruby rb/http-to-file-access Network data written to file
CWE-710 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE-710 Ruby rb/unused-parameter Unused parameter.
CWE-710 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-710 Swift swift/constant-password Constant password
CWE-710 Swift swift/hardcoded-key Hard-coded encryption key
CWE-732 C/C++ cpp/world-writable-file-creation File created without restricting permissions
CWE-732 C/C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE-732 C/C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE-732 Java/Kotlin java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE-732 Java/Kotlin java/world-writable-file-read Reading from a world writable file
CWE-732 Python py/overly-permissive-file Overly permissive file permissions
CWE-732 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-732 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE-733 C/C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE-749 Java/Kotlin java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE-749 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-749 Swift swift/unsafe-js-eval JavaScript Injection
CWE-754 C/C++ cpp/incorrectly-checked-scanf Incorrect return-value check for a 'scanf'-like function
CWE-754 C/C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE-754 C/C++ cpp/return-value-ignored Return value of a function is ignored
CWE-754 C/C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE-754 C/C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE-754 C/C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE-754 C/C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE-754 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-754 C/C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE-754 C/C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE-754 C/C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE-754 C# cs/unchecked-return-value Unchecked return value
CWE-754 Java/Kotlin java/inconsistent-call-on-result Inconsistent operation on return value
CWE-754 Java/Kotlin java/return-value-ignored Method result ignored
CWE-754 Java/Kotlin java/unsafe-cert-trust Unsafe certificate trust
CWE-754 JavaScript/TypeScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE-754 Python py/ignored-return-value Ignored return value
CWE-755 C/C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE-755 C/C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE-755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-755 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-755 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-755 C# cs/catch-of-all-exceptions Generic catch clause
CWE-755 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-755 C# cs/web/missing-global-error-handler Missing global error handler
CWE-755 Go go/stack-trace-exposure Information exposure through a stack trace
CWE-755 Java/Kotlin java/stack-trace-exposure Information exposure through a stack trace
CWE-755 Java/Kotlin java/overly-general-catch Overly-general catch clause
CWE-755 Java/Kotlin java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE-755 JavaScript/TypeScript js/stack-trace-exposure Information exposure through a stack trace
CWE-755 Python py/catch-base-exception Except block handles 'BaseException'
CWE-755 Python py/empty-except Empty except
CWE-755 Python py/stack-trace-exposure Information exposure through an exception
CWE-755 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE-756 C# cs/web/missing-global-error-handler Missing global error handler
CWE-757 Swift swift/insecure-tls Insecure TLS configuration
CWE-758 C/C++ cpp/pointer-overflow-check Pointer overflow check
CWE-758 C/C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE-758 C/C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE-758 C# cs/captured-foreach-variable Capturing a foreach variable
CWE-758 JavaScript/TypeScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE-758 JavaScript/TypeScript js/malformed-html-id Malformed id attribute
CWE-758 JavaScript/TypeScript js/conditional-comment Conditional comments
CWE-758 JavaScript/TypeScript js/non-standard-language-feature Use of platform-specific language features
CWE-758 JavaScript/TypeScript js/for-in-comprehension Use of for-in comprehension blocks
CWE-758 JavaScript/TypeScript js/yield-outside-generator Yield in non-generator function
CWE-759 C# cs/hash-without-salt Use of a hash function without a salt
CWE-759 Java/Kotlin java/hash-without-salt Use of a hash function without a salt
CWE-760 Swift swift/constant-salt Use of constant salts
CWE-764 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-764 C/C++ cpp/twice-locked Mutex locked twice
CWE-764 C/C++ cpp/unreleased-lock Lock may not be released
CWE-764 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-770 C/C++ cpp/alloca-in-loop Call to alloca in a loop
CWE-770 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-770 Go go/uncontrolled-allocation-size Slice memory allocation with excessive size value
CWE-770 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-770 JavaScript/TypeScript js/resource-exhaustion Resource exhaustion
CWE-770 JavaScript/TypeScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE-770 Python py/unicode-dos Denial of Service using Unicode Characters
CWE-772 C/C++ cpp/catch-missing-free Leaky catch
CWE-772 C/C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE-772 C/C++ cpp/descriptor-never-closed Open descriptor never closed
CWE-772 C/C++ cpp/file-may-not-be-closed Open file may not be closed
CWE-772 C/C++ cpp/file-never-closed Open file is not closed
CWE-772 C/C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE-772 C/C++ cpp/memory-never-freed Memory is never freed
CWE-772 C/C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE-772 C/C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE-772 Java/Kotlin java/input-resource-leak Potential input resource leak
CWE-772 Java/Kotlin java/database-resource-leak Potential database resource leak
CWE-772 Java/Kotlin java/output-resource-leak Potential output resource leak
CWE-772 Python py/file-not-closed File is not always closed
CWE-775 C/C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE-775 C/C++ cpp/descriptor-never-closed Open descriptor never closed
CWE-775 C/C++ cpp/file-may-not-be-closed Open file may not be closed
CWE-775 C/C++ cpp/file-never-closed Open file is not closed
CWE-776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-776 C# cs/insecure-xml-read XML is read insecurely
CWE-776 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-776 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-776 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-776 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-776 Python py/xml-bomb XML internal entity expansion
CWE-776 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-776 Ruby rb/xxe XML external entity expansion
CWE-776 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-780 Java/Kotlin java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE-783 C/C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE-783 C/C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE-783 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-783 Java/Kotlin java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-783 JavaScript/TypeScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE-783 JavaScript/TypeScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE-787 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-787 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-787 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-787 C/C++ cpp/badly-bounded-write Badly bounded write
CWE-787 C/C++ cpp/overrunning-write Potentially overrunning write
CWE-787 C/C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE-787 C/C++ cpp/unbounded-write Unbounded write
CWE-787 C/C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE-787 C/C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE-787 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-787 C/C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE-787 C/C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE-787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-788 C/C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE-788 C/C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE-788 C/C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE-788 C/C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE-788 C/C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE-788 C/C++ cpp/no-space-for-terminator No space for zero terminator
CWE-788 C/C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE-788 C/C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE-788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-788 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE-789 C/C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE-798 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-798 C# cs/hardcoded-credentials Hard-coded credentials
CWE-798 Go go/hardcoded-credentials Hard-coded credentials
CWE-798 Go go/parse-jwt-with-hardcoded-key Decoding JWT with hardcoded key
CWE-798 Java/Kotlin java/hardcoded-credential-api-call Hard-coded credential in API call
CWE-798 Java/Kotlin java/hardcoded-credential-comparison Hard-coded credential comparison
CWE-798 Java/Kotlin java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE-798 Java/Kotlin java/hardcoded-password-field Hard-coded password field
CWE-798 JavaScript/TypeScript js/hardcoded-credentials Hard-coded credentials
CWE-798 Python py/hardcoded-credentials Hard-coded credentials
CWE-798 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE-798 Swift swift/constant-password Constant password
CWE-798 Swift swift/hardcoded-key Hard-coded encryption key
CWE-799 JavaScript/TypeScript js/missing-rate-limiting Missing rate limiting
CWE-805 C/C++ cpp/badly-bounded-write Badly bounded write
CWE-805 C/C++ cpp/overrunning-write Potentially overrunning write
CWE-805 C/C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE-805 C/C++ cpp/unbounded-write Unbounded write
CWE-805 C/C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE-805 C/C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE-807 C/C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE-807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-807 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-807 Java/Kotlin java/user-controlled-bypass User-controlled bypass of sensitive method
CWE-807 Java/Kotlin java/tainted-permissions-check User-controlled data used in permissions check
CWE-807 JavaScript/TypeScript js/user-controlled-bypass User-controlled bypass of security check
CWE-807 JavaScript/TypeScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE-807 JavaScript/TypeScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE-807 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE-820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-820 Java/Kotlin java/lazy-initialization Incorrect lazy initialization of a static field
CWE-820 Java/Kotlin java/non-sync-override Non-synchronized override of synchronized method
CWE-821 Java/Kotlin java/ejb/synchronization EJB uses synchronization
CWE-821 Java/Kotlin java/call-to-thread-run Direct call to a run() method
CWE-823 C/C++ cpp/late-negative-test Pointer offset used before it is checked
CWE-823 C/C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE-825 C/C++ cpp/double-free Potential double free
CWE-825 C/C++ cpp/use-after-free Potential use after free
CWE-825 C/C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE-825 C/C++ cpp/using-expired-stack-address Use of expired stack-address
CWE-825 C/C++ cpp/use-of-string-after-lifetime-ends Use of string after lifetime ends
CWE-825 C/C++ cpp/use-of-unique-pointer-after-lifetime-ends Use of unique pointer after lifetime ends
CWE-825 C/C++ cpp/experimental-double-free Errors When Double Free
CWE-825 C/C++ cpp/iterator-to-expired-container Iterator to expired container
CWE-825 C/C++ cpp/use-after-expired-lifetime Use of object after its lifetime has ended
CWE-825 C/C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE-826 C/C++ cpp/self-assignment-check Self assignment check
CWE-827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-827 C# cs/insecure-xml-read XML is read insecurely
CWE-827 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-827 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-827 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-827 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-827 Python py/xxe XML external entity expansion
CWE-827 Ruby rb/xxe XML external entity expansion
CWE-827 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-829 C# cs/insecure-xml-read XML is read insecurely
CWE-829 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-829 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-829 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-829 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-829 JavaScript/TypeScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-829 JavaScript/TypeScript js/xxe XML external entity expansion
CWE-829 JavaScript/TypeScript js/insecure-download Download of sensitive file through insecure connection
CWE-829 JavaScript/TypeScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE-829 JavaScript/TypeScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE-829 Python py/xxe XML external entity expansion
CWE-829 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-829 Ruby rb/xxe XML external entity expansion
CWE-829 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE-829 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-830 JavaScript/TypeScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE-833 C/C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE-833 C/C++ cpp/twice-locked Mutex locked twice
CWE-833 C/C++ cpp/unreleased-lock Lock may not be released
CWE-833 C# cs/locked-wait A lock is held during a wait
CWE-833 Java/Kotlin java/sleep-with-lock-held Sleep with lock held
CWE-833 Java/Kotlin java/unreleased-lock Unreleased lock
CWE-833 Java/Kotlin java/wait-with-two-locks Wait with two locks held
CWE-833 Java/Kotlin java/lock-order-inconsistency Lock order inconsistency
CWE-834 C/C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE-834 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-834 C/C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE-834 C# cs/constant-condition Constant condition
CWE-834 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE-834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-834 C# cs/insecure-xml-read XML is read insecurely
CWE-834 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE-834 Java/Kotlin java/constant-loop-condition Constant loop condition
CWE-834 Java/Kotlin java/xxe Resolving XML external entity in user-controlled data
CWE-834 Java/Kotlin java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE-834 Java/Kotlin java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE-834 JavaScript/TypeScript js/xml-bomb XML internal entity expansion
CWE-834 JavaScript/TypeScript js/loop-bound-injection Loop bound injection
CWE-834 JavaScript/TypeScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE-834 JavaScript/TypeScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE-834 Python py/xml-bomb XML internal entity expansion
CWE-834 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE-834 Ruby rb/xxe XML external entity expansion
CWE-834 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE-835 C/C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE-835 C/C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE-835 C/C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE-835 C# cs/constant-condition Constant condition
CWE-835 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE-835 Java/Kotlin java/constant-loop-condition Constant loop condition
CWE-835 Java/Kotlin java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE-835 JavaScript/TypeScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE-838 C# cs/inappropriate-encoding Inappropriate encoding
CWE-843 C/C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE-843 C/C++ cpp/type-confusion Type confusion
CWE-843 JavaScript/TypeScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE-862 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-862 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-862 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-862 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-862 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-862 JavaScript/TypeScript js/empty-password-in-configuration-file Empty password in configuration file
CWE-862 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-863 Java/Kotlin java/permissive-dot-regex URL matched by permissive . in a regular expression
CWE-908 C/C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE-909 C/C++ cpp/initialization-not-run Initialization code not run
CWE-912 JavaScript/TypeScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-912 JavaScript/TypeScript js/http-to-file-access Network data written to file
CWE-912 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE-912 Ruby rb/http-to-file-access Network data written to file
CWE-913 C# cs/code-injection Improper control of generation of code
CWE-913 C# cs/deserialized-delegate Deserialized delegate
CWE-913 C# cs/unsafe-deserialization Unsafe deserializer
CWE-913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-913 Go go/unsafe-quoting Potentially unsafe quoting
CWE-913 Java/Kotlin java/android/arbitrary-apk-installation Android APK installation
CWE-913 Java/Kotlin java/groovy-injection Groovy Language injection
CWE-913 Java/Kotlin java/insecure-bean-validation Insecure Bean Validation
CWE-913 Java/Kotlin java/jexl-expression-injection Expression language injection (JEXL)
CWE-913 Java/Kotlin java/mvel-expression-injection Expression language injection (MVEL)
CWE-913 Java/Kotlin java/spel-expression-injection Expression language injection (Spring)
CWE-913 Java/Kotlin java/server-side-template-injection Server-side template injection
CWE-913 Java/Kotlin java/android/fragment-injection Android fragment injection
CWE-913 Java/Kotlin java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE-913 Java/Kotlin java/unsafe-deserialization Deserialization of user-controlled data
CWE-913 Java/Kotlin java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE-913 Java/Kotlin java/beanshell-injection BeanShell injection
CWE-913 Java/Kotlin java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE-913 Java/Kotlin java/jshell-injection JShell injection
CWE-913 Java/Kotlin java/javaee-expression-injection Jakarta Expression Language injection
CWE-913 Java/Kotlin java/jython-injection Injection in Jython
CWE-913 Java/Kotlin java/unsafe-eval Injection in Java Script Engine
CWE-913 Java/Kotlin java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE-913 Java/Kotlin java/spring-view-manipulation Spring View Manipulation
CWE-913 Java/Kotlin java/android/unsafe-reflection Load 3rd party classes or code ('unsafe reflection') without signature check
CWE-913 Java/Kotlin java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE-913 Java/Kotlin java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE-913 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE-913 Java/Kotlin java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE-913 JavaScript/TypeScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE-913 JavaScript/TypeScript js/template-object-injection Template Object Injection
CWE-913 JavaScript/TypeScript js/code-injection Code injection
CWE-913 JavaScript/TypeScript js/actions/command-injection Expression injection in Actions
CWE-913 JavaScript/TypeScript js/bad-code-sanitization Improper code sanitization
CWE-913 JavaScript/TypeScript js/unsafe-code-construction Unsafe code constructed from library input
CWE-913 JavaScript/TypeScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE-913 JavaScript/TypeScript js/unsafe-deserialization Deserialization of user-controlled data
CWE-913 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-913 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-913 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-913 JavaScript/TypeScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE-913 JavaScript/TypeScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE-913 JavaScript/TypeScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE-913 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-913 Python py/code-injection Code injection
CWE-913 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE-913 Ruby rb/unsafe-unsafeyamldeserialization Deserialization of user-controlled yaml data
CWE-913 Ruby rb/server-side-template-injection Server-side template injection
CWE-913 Ruby rb/code-injection Code injection
CWE-913 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE-913 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE-913 Ruby rb/insecure-mass-assignment Insecure Mass Assignment
CWE-913 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE-913 Swift swift/unsafe-js-eval JavaScript Injection
CWE-915 JavaScript/TypeScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE-915 JavaScript/TypeScript js/prototype-pollution-utility Prototype-polluting function
CWE-915 JavaScript/TypeScript js/prototype-pollution Prototype-polluting merge call
CWE-915 JavaScript/TypeScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE-915 Ruby rb/insecure-mass-assignment Insecure Mass Assignment
CWE-916 C# cs/hash-without-salt Use of a hash function without a salt
CWE-916 Java/Kotlin java/hash-without-salt Use of a hash function without a salt
CWE-916 JavaScript/TypeScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE-916 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE-916 Swift swift/weak-password-hashing Use of an inappropriate cryptographic hashing algorithm on passwords
CWE-916 Swift swift/constant-salt Use of constant salts
CWE-916 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE-917 Java/Kotlin java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE-918 C# cs/request-forgery Server-side request forgery
CWE-918 Go go/request-forgery Uncontrolled data used in network request
CWE-918 Go go/ssrf Uncontrolled data used in network request
CWE-918 Java/Kotlin java/ssrf Server-side request forgery
CWE-918 JavaScript/TypeScript js/client-side-request-forgery Client-side request forgery
CWE-918 JavaScript/TypeScript js/request-forgery Server-side request forgery
CWE-918 JavaScript/TypeScript javascript/ssrf Uncontrolled data used in network request
CWE-918 Python py/full-ssrf Full server-side request forgery
CWE-918 Python py/partial-ssrf Partial server-side request forgery
CWE-918 Ruby rb/request-forgery Server-side request forgery
CWE-922 C/C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE-922 C/C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE-922 C/C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE-922 C# cs/password-in-configuration Password in configuration file
CWE-922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-922 Go go/clear-text-logging Clear-text logging of sensitive information
CWE-922 Java/Kotlin java/android/backup-enabled Application backup allowed
CWE-922 Java/Kotlin java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE-922 Java/Kotlin java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE-922 Java/Kotlin java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE-922 Java/Kotlin java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE-922 Java/Kotlin java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE-922 Java/Kotlin java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE-922 JavaScript/TypeScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE-922 JavaScript/TypeScript js/clear-text-logging Clear-text logging of sensitive information
CWE-922 JavaScript/TypeScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE-922 JavaScript/TypeScript js/password-in-configuration-file Password in configuration file
CWE-922 JavaScript/TypeScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE-922 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-922 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-922 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE-922 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE-922 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE-922 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE-922 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE-923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-923 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE-923 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE-923 Java/Kotlin java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE-923 Java/Kotlin java/unsafe-hostname-verification Unsafe hostname verification
CWE-923 Java/Kotlin java/socket-auth-race-condition Race condition in socket authentication
CWE-923 Java/Kotlin java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE-923 Java/Kotlin java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE-923 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-923 Java/Kotlin java/ignored-hostname-verification Ignored result of hostname verification
CWE-923 Java/Kotlin java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE-923 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-923 JavaScript/TypeScript js/disabling-certificate-validation Disabling certificate validation
CWE-923 JavaScript/TypeScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE-923 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE-925 Java/Kotlin java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE-926 Java/Kotlin java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE-926 Java/Kotlin java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE-926 Java/Kotlin java/android/implicitly-exported-component Implicitly exported Android component
CWE-926 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-927 Java/Kotlin java/android/implicit-pendingintents Use of implicit PendingIntents
CWE-927 Java/Kotlin java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE-927 Java/Kotlin java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE-939 Java/Kotlin java/incorrect-url-verification Incorrect URL verification
CWE-940 Java/Kotlin java/android/intent-redirection Android Intent redirection
CWE-940 JavaScript/TypeScript js/missing-origin-check Missing origin verification in postMessage handler
CWE-942 Go go/cors-misconfiguration CORS misconfiguration
CWE-942 JavaScript/TypeScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE-942 JavaScript/TypeScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE-943 C/C++ cpp/sql-injection Uncontrolled data in SQL query
CWE-943 C# cs/sql-injection SQL query built from user-controlled sources
CWE-943 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-943 C# cs/xml/xpath-injection XPath injection
CWE-943 Go go/sql-injection Database query built from user-controlled sources
CWE-943 Go go/unsafe-quoting Potentially unsafe quoting
CWE-943 Go go/xml/xpath-injection XPath injection
CWE-943 Go go/ldap-injection LDAP query built from user-controlled sources
CWE-943 Java/Kotlin java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE-943 Java/Kotlin java/sql-injection Query built from user-controlled sources
CWE-943 Java/Kotlin java/sql-injection-local Query built from local-user-controlled sources
CWE-943 Java/Kotlin java/ldap-injection LDAP query built from user-controlled sources
CWE-943 Java/Kotlin java/xml/xpath-injection XPath injection
CWE-943 Java/Kotlin java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE-943 Java/Kotlin java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE-943 Java/Kotlin java/xquery-injection XQuery query built from user-controlled sources
CWE-943 JavaScript/TypeScript js/sql-injection Database query built from user-controlled sources
CWE-943 JavaScript/TypeScript js/xpath-injection XPath injection
CWE-943 JavaScript/TypeScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE-943 JavaScript/TypeScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE-943 Python py/sql-injection SQL query built from user-controlled sources
CWE-943 Python py/ldap-injection LDAP query built from user-controlled sources
CWE-943 Python py/xpath-injection XPath query built from user-controlled sources
CWE-943 Python py/nosql-injection NoSQL Injection
CWE-943 Python py/xslt-injection XSLT query built from user-controlled sources
CWE-943 Ruby rb/ldap-injection LDAP Injection
CWE-943 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE-943 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE-943 Swift swift/sql-injection Database query built from user-controlled sources
CWE-943 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE-1004 C# cs/web/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE-1004 Go go/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE-1004 Java/Kotlin java/tomcat-disabled-httponly Tomcat config disables 'HttpOnly' flag (XSS risk)
CWE-1004 Java/Kotlin java/sensitive-cookie-not-httponly Sensitive cookies without the HttpOnly response header set
CWE-1004 JavaScript/TypeScript js/client-exposed-cookie Sensitive server cookie exposed to the client
CWE-1022 JavaScript/TypeScript js/unsafe-external-link Potentially unsafe external link
CWE-1041 C/C++ cpp/call-to-function-without-wrapper Missed opportunity to call wrapper function
CWE-1078 C/C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE-1104 Java/Kotlin java/maven/dependency-upon-bintray Depending upon JCenter/Bintray as an artifact repository
CWE-1126 C/C++ cpp/errors-when-using-variable-declaration-inside-loop Errors When Using Variable Declaration Inside Loop
CWE-1176 JavaScript/TypeScript js/angular/double-compilation Double compilation
CWE-1204 Java/Kotlin java/static-initialization-vector Using a static initialization vector for encryption
CWE-1204 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE-1236 Python py/csv-injection Csv Injection
CWE-1240 C/C++ cpp/crypto-primitive Implementation of a cryptographic primitive
CWE-1275 JavaScript/TypeScript js/samesite-none-cookie Sensitive cookie without SameSite restrictions
CWE-1275 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE-1333 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE-1333 Java/Kotlin java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-1333 Java/Kotlin java/redos Inefficient regular expression
CWE-1333 JavaScript/TypeScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-1333 JavaScript/TypeScript js/redos Inefficient regular expression
CWE-1333 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-1333 Python py/redos Inefficient regular expression
CWE-1333 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE-1333 Ruby rb/redos Inefficient regular expression
CWE-1333 Ruby rb/regexp-injection Regular expression injection
CWE-1333 Swift swift/redos Inefficient regular expression
CWE-1336 Java/Kotlin java/server-side-template-injection Server-side template injection
  • © GitHub, Inc.
  • Terms
  • Privacy